Need to analyse the record of $LogFile data in NTFS fs RRS feed

  • Question

  • Hi,
    I need to know how to track the data of a deleted file (more than 4GB in size) in a NTFS partition.
    In NTFS file system a file attributes and its data clusters chain found in its MFT. If this file is greater than 4GB in size and I delete it, the data clusters chain of this file is also deleted from its MFT also. So I am not able to track the data of this deleted file.
    Another way to find its data clusters chain is by going through $LogFile as the LogFile contains all the details of a file if the file is updated or deleted. Suppose the data of this deleted file is not overwritten.
    Someone please help me how can I track the data of this file with the help of $LogFile?
    How can we read the records written in a $Logfile data?
    How can we jump on a data cluster chain of a deleted file in $LogFile?



    Friday, September 23, 2011 8:48 AM