Harlan, It looks like I spoke too soon. While the ntbackup command appeared to work at first, the resulting backup file seems to be empty. The shadow copy service should work but I may have to go about it programmatically instead of using ntbackup. I don't suppose there is any way to recall a post from the list? :-) Regards, George. ----- Original Message ----- From: "George M. Garner Jr." <gmgarnerat_private> To: "Harlan Carvey" <keydet89at_private> Cc: <forensicsat_private> Sent: Monday, March 17, 2003 5:54 PM Subject: Re: NTFS $LOGFILE metafile > Harlan, > > >> As yet, I haven't found a way to access the $LOGFILE metafile on a live > system, > >> let alone parse it... << > > The FSCTL control codes to read and write from the $Logfile do not appear to > be documented. Maybe they are in the IFS SDK. On Windows XP and .Net > Server you can use the volume shadow copy service to backup a snapshot of > the $Logfile. The syntax is as follows: > > ntbackup backup C:\$Logfile /F "A:\myLogfile" > > This assumes that C:\ is a ntfs volume and you want to write the backup file > to the a: drive. > > Regards, > > George. > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 16:55:04 PST