Breaking Down the $LogFile and How to Use LogFileParser

When it comes to forensic analysis, the $LogFile is one of those artifacts that hasn’t received as much attention as other NTFS structures.

However, the $LogFile is packed with valuable forensic data, storing full details of changes to critical structures like the $MFT, $I30 indexes, $Bitmap, and even the $UsnJrnl itself.

If i talk about parsing the $LogFile one of the best free tools available is LogFileParser by Joakim Schicht. This tool simplifies the process of parsing the $LogFile and provides multiple output files that make sense of all the data it contains.

Why Is the $LogFile Important?

The $LogFile keeps track of changes happening within the NTFS file system. It records transaction logs, including file creations, modifications, renaming, and deletions. Even though it doesn’t store traditional timestamps for each event, it uses Log Sequence Numbers (LSNs) to maintain order, which helps in reconstructing events over time.

------------------------------------------------------------------------------------------------------------

How LogFileParser Helps

LogFileParser is designed to extract useful information from the $LogFile efficiently. The primary output file, LogFile.csv, provides an overview of what’s stored in the log. This file is massive, often containing over 100,000 rows and 60+ fields, although not every field is populated for every entry.

• LogFile_INDX_I30.csv – Extracts metadata from $I30 index entries, including file names, MACB timestamps, file sizes, flags, and MFT record numbers.

• LogFile_FileNames.csv – Consolidates file and directory names found within the $LogFile, along with their corresponding MFT record numbers and LSNs.

LSN value allow us to piece together the order of events.

------------------------------------------------------------------------------------------------------------

Recovering Deleted Files

One of the most powerful features of LogFileParser is its ability to help recover deleted files. While the $LogFile doesn’t store actual file data, it does retain cluster run information, which tells us where data was stored on disk. This can be a game-changer if a file’s MFT record has been overwritten, as the original cluster locations may still be recoverable.

------------------------------------------------------------------------------------------------------------

How to Use LogFileParser

LogFileParser comes with both a GUI and a command-line interface. Running it is straightforward:

By default, output directory next to the LogFileParser executable.

To launch the GUI, simply double-click on LogFileParser.exe, which is typically located in:

------------------------------------------------------------------------------------------------------------

Alternative Tools: TZWorks Mala

If you’re looking for an alternative, TZWorks’ Mala is a solid commercial tool for analyzing the $LogFile. It’s incredibly fast, organizes data in a more readable format, and is actively maintained. Even if you’re not purchasing the tool, TZWorks provides excellent documentation explaining how forensic artifacts work, making it a great reference for learning more about the $LogFile.

------------------------------------------------------------------------------------------------------------

Final Thoughts

Parsing the $LogFile isn’t always the first thing that comes to mind in forensic investigations, but it can be incredibly useful. Whether you’re tracking file changes, recovering deleted metadata, or trying to reconstruct the timeline of an incident, tools like LogFileParser and Mala can help extract valuable information. If you haven't already, give LogFileParser a try and see what hidden details you can uncover from the $LogFile!

-------------------------------------Dean----------------------------------------------------------