ntfs-logfile

Queries transaction log records from the $LogFile of an NTFS file system. Enables analysis of file system change history including file creation, deletion, and renaming.

Command properties

Property	Description
Command type	Driver
Required permission	None
License usage	Counted
Parallel execution	Not supported
Distributed execution	Runs on Data Node (mapper)

Syntax

ntfs-logfile [zipcharset=STR] [zippath=STR] FILE_PATH

Options

zipcharset=STR: Character encoding of ZIP file entries. (Default: utf-8)
zippath=STR: Path to the ZIP file. When this option is specified, queries the $LogFile inside the ZIP file.

Target

FILE_PATH: File path of the $LogFile. You can use wildcards (*) to query multiple matching files at once.

Output fields

Field	Type	Description
`_file`	string	Source file name
`page`	integer	Page number
`lsn`	long	Log sequence number (LSN)
`prev_lsn`	long	Previous log sequence number
`redo_op`	string	Redo operation code. See the operation code table below.
`undo_op`	string	Undo operation code. See the operation code table below.
`record_type`	integer	Record type. `1`: Normal record, `2`: Checkpoint record
`redo_offset`	integer	Redo data offset
`redo_len`	integer	Redo data length
`undo_offset`	integer	Undo data offset
`undo_len`	integer	Undo data length
`client_data_length`	integer	Client data length
`flags`	integer	Record flags
`mft_head`	string	16-byte hex dump of the MFT record header. Output when `redo_op` is `initialize_file_record_segment`, `delete_index_entry_root`, or `delete_index_entry_allocation`.
`mft_lsn`	long	Log sequence number of the MFT record. Output when `redo_op` is one of the above codes.
`mft_link_count`	integer	Hard link count of the MFT record. Output when `redo_op` is one of the above codes.
`file_name`	string	File name. Output when `redo_op` is one of the above codes and the `$FILE_NAME` attribute exists.
`created_at`	timestamp	File creation time. Output when `redo_op` is one of the above codes and the `$FILE_NAME` attribute exists.
`modified_at`	timestamp	File modification time. Output when `redo_op` is one of the above codes and the `$FILE_NAME` attribute exists.
`access_at`	timestamp	File access time. Output when `redo_op` is one of the above codes and the `$FILE_NAME` attribute exists.

Operation codes

The operation codes output in the redo_op and undo_op fields are as follows.

Operation code	Hex value	Description
`noop`	`0x00`	No operation
`compensation_log_record`	`0x01`	Compensation log record
`initialize_file_record_segment`	`0x02`	Initialize file record segment
`deallocate_file_record_segment`	`0x03`	Deallocate file record segment
`write_end_of_file_record_segment`	`0x04`	Write end of file record segment
`create_attribute`	`0x05`	Create attribute
`delete_attribute`	`0x06`	Delete attribute
`update_resident_value`	`0x07`	Update resident value
`update_non_resident_value`	`0x08`	Update non-resident value
`update_mapping_pairs`	`0x09`	Update mapping pairs
`delete_dirty_clusters`	`0x0a`	Delete dirty clusters
`set_new_attribute_size`	`0x0b`	Set new attribute size
`add_index_entry_root`	`0x0c`	Add root index entry
`delete_index_entry_root`	`0x0d`	Delete root index entry
`add_index_entry_allocation`	`0x0e`	Add allocation index entry
`delete_index_entry_allocation`	`0x0f`	Delete allocation index entry
`set_index_entry_ven_allocation`	`0x12`	Set VCN of allocation index entry
`update_file_name_root`	`0x13`	Update root file name
`update_file_name_allocation`	`0x14`	Update allocation file name
`set_bits_in_non_resident_bitmap`	`0x15`	Set bits in non-resident bitmap
`clear_bits_in_non_resident_bitmap`	`0x16`	Clear bits in non-resident bitmap
`prepare_transaction`	`0x19`	Prepare transaction
`commit_transaction`	`0x1a`	Commit transaction
`forget_transaction`	`0x1b`	Forget transaction
`open_non_resident_attribute`	`0x1c`	Open non-resident attribute
`open_attribute_table_dump`	`0x1d`	Open attribute table dump
`dirty_page_table_dump`	`0x1f`	Dirty page table dump
`transaction_table_dump`	`0x20`	Transaction table dump
`update_record_data_root`	`0x21`	Update root record data

Error codes

Parse errors

None

Runtime errors

None

Description

The ntfs-logfile command parses the $LogFile, which is the transaction log file of the NTFS file system, and outputs each transaction log record. The $LogFile records changes to file system metadata as Redo/Undo operation pairs.

For records where redo_op is initialize_file_record_segment, MFT record information is also extracted, outputting the file name and creation/modification/access times. For records where redo_op is delete_index_entry_root or delete_index_entry_allocation, information about the deleted file is extracted from the Undo data.

Using wildcards (*) in the file path allows querying all matching files at once. Specifying the zippath option allows directly querying a $LogFile inside a ZIP file.

Examples

Query $LogFile transaction logs
```
ntfs-logfile /data/ntfs/LogFile
```
Queries transaction log records from the $LogFile at the specified path.
Query $LogFile inside a ZIP file
```
ntfs-logfile zippath=/data/evidence.zip ntfs/LogFile
```
Queries the $LogFile inside a ZIP file.
Query file creation and deletion history
```
ntfs-logfile /data/ntfs/LogFile
| sort lsn
| search redo_op == "initialize_file_record_segment" or redo_op == "*delete*"
```
Queries records where redo_op is initialize_file_record_segment or contains delete, in LSN order.