Notifications

Clear all

A $LogFile parser utility for NTFS

joakims · 2013-05-02T03:26:11Z

and dump $LogFile records. Decode many attribute changes. Recreate a dummy $MFT Decode all index related transaction (from IndexRoot/IndexAllocation). Resolve all datarun list information available in $LogFile.Configurable verbose mode (does not affect logging). Optionally decode $UsnJrnl. Logs to csv and imports to sqlite database with several tables (read included readme for details on each csv/table).Most of the work have so far been on reconstructing datarun information to aid in datarecovery based entirely on the $LogFile. Though certainly interesting stuff, it has its clear limitations. Documentation is found in link at the top.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by joakims 10 years ago

17 Posts

5 Users

0 Reactions

9,672 Views

RSS

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

Topic starter 06/07/2015 4:31 am

Several more bugfixes and added features have been implemented lately. Some of the more interesting changes;

Added option to configure if source is from Nt5.x (XP,2003), which would improve parsing.
Added decode of UpdateRecordDataRoot and UpdateRecordDataAllocation.
Added decode of $Reparse$R.
Added option to extract resident attribute updates.

ReplyQuote

nightworker

(@nightworker)

Estimable Member

Joined: 16 years ago

Posts: 134

06/07/2015 3:33 pm

great tool thanks o lot

ReplyQuote

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

Topic starter 07/07/2015 7:54 pm

Another important update with v2.0.0.7. Implemented a much improved filename identification feature. The processing time has increased slightly, but the output quality is much higher. Also fixed a bug that was introduced in 2.0.0.4 that caused certain $UsnJrnl transactions to not be identified.

ReplyQuote

jpandre

(@jpandre)

New Member

Joined: 10 years ago

Posts: 1

09/08/2015 9:35 pm

Hi,

Windows 10 is using new undo/redo operation codes (0x23-0x25). What do they mean ?

Regards

ReplyQuote

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

Topic starter 09/08/2015 10:05 pm

I don't know so will have to analyze it. Thanks for notifying.

ReplyQuote

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

Topic starter 10/08/2015 6:20 am

I am unable to find these codes in my $LogFile. Would you be able to share a sample $LogFile with me with such codes in?

ReplyQuote

joakims

(@joakims)

Estimable Member

Joined: 15 years ago

Posts: 224

Topic starter 18/10/2015 1:26 am

Commandline mode also implemented for this tool too, among other nice improvements and bugfixes.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
234 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed