Title :
$LogFile of NTFS: A blueprint of activities
Author :
Zareen, Muhammad Sharjeel ; Aslam, Baber
Author_Institution :
Nat. Univ. of Sci. & Technol., Islamabad, Pakistan
Abstract :
Every successful action performed in NTFS leads to update of $MFT. However, there is a chain or set of chains of transactions behind every single activity of NTFS. However, $MFT updation only shows the end product of action and corresponding chain or set of chains of transactions are not documented by it. $Logfile is the file which logs all said transactions. $MFT is a well researched area but $LogFile is relatively a less explored area. $LogFile was created by Microsoft for system recovery. However, it can also be used to get the blueprints of activities of NTFS as it logs all the transactions of NTFS. This paper deals with analysis of $LogFile used in Windows 7, its layout /structure, type of records and their decoding, explanation of information contained in these records and the techniques of reading it to extract blueprints of activities of NTFS.
Keywords :
system monitoring; system recovery; transaction processing; $LogFile; $MFT updation; Microsoft; NTFS; Windows 7; activities blueprints; new technology file system; system recovery; transaction log; transactions chains; Arrays; Data mining; Decoding; Indexes; Layout; Resource management; System recovery;
Conference_Titel :
Multi-Topic Conference (INMIC), 2014 IEEE 17th International
Print_ISBN :
978-1-4799-5754-5
DOI :
10.1109/INMIC.2014.7097356
