hi everyone! I'm trying to understand how $logfile works.. i red on Carrier, and on other many books, but very little is known about $logfile structure.
I red this forum, too, ad i red that someone made some tests about it… i'd like to have information… can you help me?
i found on web something about structure of the first part of $logfile, the restart pages… but nothing about the records page..
This is probably the closest to any documentation you can get; http//
i red that structure from that site… but it talks only about restart pages… \
A few more hints on the actual content of the records; http//
uhm i think it's not enough… i red that there is a script for encase for logfile parsing… do u know if it works correctly ?
it does not parse it completely - instead it carves out the most common artifacts found in the $logfile, namely MFT records and lnk files (and one other but I forget).
damn.. i'm trying to make some tests but without a structure is hard to understand..
Greetings,
Welcome to the world of forensics - there is no "Easy Button"!
_David