How can I view a dump of a NTFS $Logfile?

Question

I recently encountered a strange Windows 7 bug where a 600 MB video file I spent ~1 hour recording disappeared with no trace. I've tried using applications such as Recuva to see if I can recover it to no avail.

I know for sure that the file existed at one point because there is still a link to its location in VLC Media player's history. That said, there SHOULD be a reference to the data write operations in the NTFS $LogFile on the volume where this file was created. Whenever I try to do a 'type $Logfile' or open it through an application I get "Access is Denied". I am logged in as an account with Local Administrator privileges.

Does anyone know a surefire method of viewing the NTFS $LogFile for a given volume?

Did you figure out how to dump $LogFile. Thanks. – Chandan May 09 '16 at 21:44 — Chandan, May 09 '16 at 21:44

score 3 · Answer 1 · edited May 23 '17 at 12:31

3

nfi.exe should help. take a look at the following question:

How to dump the NTFS $Bitmap file

edited May 23 '17 at 12:31

Community

1
1

answered Jan 16 '14 at 09:11

mox

6,084
2
23
35

score 0 · Answer 2 · answered Nov 03 '14 at 20:06

0

Try fget or ntfs opt, see here: http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html

answered Nov 03 '14 at 20:06

tal

111
3

How can I view a dump of a NTFS $Logfile?

2 Answers2