Need tool to parse NTFS $LogFile

mount the NTFS volume from a linux host and make sure to have your mount options to include setting "show system files" to true. you should then be able to view files such as $logfile and parse the contents with something like bintext.

Yeah that would be great if someone could post some documentation explaining in depth structure of the $LogFile

Last time I checked, the details of the $LogFile were still mostly, if not completely a mystery.

But, my information could be outdated. If anyone has more accurate information, I'm also quite interested in hearing it.

Last time I checked, the details of the $LogFile were still mostly, if not completely a mystery.

But, my information could be outdated. If anyone has more accurate information, I'm also quite interested in hearing it.

NDA clause allowing I'll try to put something together from the docs I have - but please don't anyone hold their breath.

thought I'd post a quick further follow up. In a discussion on this topic today I was alerted to a tool which appears to remove the need for the clunky mount via linux method of getting access to $logfile which I have been using.

I haven't had a chance to try it out yet - but DFSEE looks promising (check out the NTFS mode page)

as a further follow up - the following project on sourceforge.jp should be of interest

$logfile handling

1 /*
2 * logfile.h - Defines for NTFS kernel journal ($LogFile) handling. Part of
3 * the Linux-NTFS project.
….
….