$MFT and $LogFile Analysis (mala)

Introduction

mala is short for $MFT and $LogFile Analysis. This new tool targets the $LogFile artifact and uses the $MFT file for additional context data.

As background, the Windows NTFS file system has a transactional architecture that is used to ensure that the operating system can recover from a crash into a known good state. Aside from the NTFS file system kernel driver failing, Windows does a good job at maintaining data consistency after critical failures that cause the system to shut down unexpectedly. Specifically, NTFS logs file transactions when:

To achieve this level of reliability, Windows NTFS employs a journaling technique that records a sequence of file changes in the $LogFile. After the sequence of operations is completed, the operating system commits the changes and the transaction is done. In this way, if the system should crash prior to a transaction being committed to disk, the system can read the sequence of changes from the $LogFile and then perform (if necessary) any 'undo' operations to get the system into a known good, stable state.

From a forensic standpoint, analyzing the $LogFile can yield a chronological list of historical transactions that were done. The $LogFile is fixed size, so once it is filled, additional data is wrapped and the old data overwritten with new transactions. Depending on the frequency of file changes made on a system the number of historical transactions will vary. The size of the $LogFile is typically 64 MB for a volume, however, it can be resized based on need. Using the standard default size and normal usage, one should expect a few hours of activity recorded in a $LogFile. This time estimate, is highly subjective and will vary depending on the frequency of the file system changes.

Available options in mala

The screen shot below shows the usage of the tool as well as all the options available.

cmd menu

Reporting

The output generated by mala is in a delimited format where the delimiter can be either a comma (CSV format), pipe, or tab character. So as to limit the number of fields and provide uniformity across different operations, the last field is a quasi-json format that allows the tool to use a condensed notation and be extensible so as to allow for an unlimited combination of data types. In this way dissimilar data can be concisely put into a format that is easily digested by a spreadsheet program (like excel) or into a database. Most of the data put into this 'catch-all' column is the payload data associated with the operation, as well as, any supporting information provided by the $MFT file (if available).

For more information

The user's guide can be viewed here

If you have any questions about mala, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:mala32.v.0.10.win.zipmala64.v.0.10.win.zipmd5/sha1
Linux:mala32.v.0.10.lin.tar.gzmala64.v.0.10.lin.tar.gzmd5/sha1
Mac OS X:mala.v.0.10.osx.tar.gzmala.v.0.10.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.