NTFS Log Tracker – Tool to Parse NTFS Logs

NTFS Log Tracker is a tool that can parse $LogFile, $UsnJrnl of NTFS.A input of this tool is sample file extracted by another tool like Encase, Winhex.If you want to see “Full Path” information, you should input $MFT file.

NTFS Log Tracker
NTFSLog Tracker

Log Tracker features include:

  • The analysis of $LogFile, $UsnJrnl
  • Supporting Full Path information(with $MFT)
  • Keyword search, Exporting result to CSV file, Importing SQLite file(created by this tool)

Parsed $LogFile Event will allow incident response team to get the following file level event information:

  • Creating File/Directory(including “File System Tunneling”)
  • Writing Resident/NonResident Data
    • Writing Resident Data : “Data offset” means the location of Resident Data within $LogFile.
    • Writing Non-Resident Data : “Cluster Number” means “StartClusterNumber(Allocated Cluster Count)” of Non-Resident Data within volume.
  • Deleting File/Directory
  • Renaming File/Directory
  • Moving File/Directory

Parsed $UsnJrnl Event will include the following:

  • Event Info : http://msdn.microsoft.com/en-us/library/aa365722.aspx 
  • File Attribute : http://msdn.microsoft.com/en-us/library/gg258117.aspx

File change event is important during forensics analysis. You can read more and download this tool over here: https://sites.google.com/site/forensicnote/ntfs-log-tracker

Share