• DocumentCode
    3588400
  • Title

    $LogFile of NTFS: A blueprint of activities

  • Author

    Zareen, Muhammad Sharjeel ; Aslam, Baber

  • Author_Institution
    Nat. Univ. of Sci. & Technol., Islamabad, Pakistan
  • fYear
    2014
  • Firstpage
    305
  • Lastpage
    310
  • Abstract
    Every successful action performed in NTFS leads to update of $MFT. However, there is a chain or set of chains of transactions behind every single activity of NTFS. However, $MFT updation only shows the end product of action and corresponding chain or set of chains of transactions are not documented by it. $Logfile is the file which logs all said transactions. $MFT is a well researched area but $LogFile is relatively a less explored area. $LogFile was created by Microsoft for system recovery. However, it can also be used to get the blueprints of activities of NTFS as it logs all the transactions of NTFS. This paper deals with analysis of $LogFile used in Windows 7, its layout /structure, type of records and their decoding, explanation of information contained in these records and the techniques of reading it to extract blueprints of activities of NTFS.
  • Keywords
    system monitoring; system recovery; transaction processing; $LogFile; $MFT updation; Microsoft; NTFS; Windows 7; activities blueprints; new technology file system; system recovery; transaction log; transactions chains; Arrays; Data mining; Decoding; Indexes; Layout; Resource management; System recovery;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Multi-Topic Conference (INMIC), 2014 IEEE 17th International
  • Print_ISBN
    978-1-4799-5754-5
  • Type

    conf

  • DOI
    10.1109/INMIC.2014.7097356
  • Filename
    7097356
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=3588400