The New Technology File System (NTFS) is Windows specific file system. NTFS has been the default file system of Windows since the introduction of Windows NT 3.1. NTFS is a journaling file system that allows the operating system to maintain a transaction record of all changes made to volume such as file creation, deletion, renaming, writing and moving. Windows NTFS stores these transactions in a transaction log called “$LogFile”. In the event of chrash or power failure, the operating system can roll back the changes or continue where it left. Hence, the log file maintains the reliability and recoverability of the file system in the case of critical events.
From the digital forensics perspective, there is a lot of information that can be collected from $LogFile. Analyzing $MFT is a general convention. This part of the disk volume contains metadata about all files and directorties, however deleted files may not have metadata in $MFT. Luckily $LogFile allows an examiner to determine prior states of files. It works like a forensic time machine. Therefore, $LogFile helps investigators to examine the file system events of a specific period of time.
$LogFile artifacts are located at root directory of NTFS file system related partition.
The $LogFile is located under the [root] of the partition at the image of the physical disk. This file is stored in the MFT entry number 2. The deafult size of the $LogFile is 65535, however, the size can be adjustable. As seen in the figure below, the command “chkdsk /L” enables the user to view the current size of the NTFS disk log file, or even change the size of the $logfile by providing the specified amount after colon.
$LogFile structure consists of restart area and logging area. The restart area contains information about the last operation and record while the logging area contains actual operation records. In addition, the logging area is splitted into two sections, the Buffer Page Area and the Normal Page Area. The last operation record is stored in Buffer Page Area and both areas are written sequentially. If the Normal or Buffer Page Area are full, then, the new logs are written on the oldest one. Hence, for forensic rediness, the size of the $LogFile can be increased.
This section will discuss how to use ArtiFast Windows to analyze Windows LogFile artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows LogFile artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows LogFile artifact in ArtiFast software.
Windows LogFile Artifact
The artifact contains logged metadata changes to a file system. The details you can view include:
For more information or suggestions please contact: firstname.lastname@example.org