Relevant Definitions  

NTFS

NTFS is a file system developed by Microsoft as a more functional and reliable successor to their FAT file systems. NTFS was released with Windows NT 3.1 (as its default file system) in 1993 and with the release of Windows 10 is still the default Windows file system today.

$MFT

The $MFT (Master File Table) metafile allows NTFS to keep track of its files and folders by maintaining information about their names, locations, dates and times, and much more. Each $MFT record (in layman’s terms, each file and folder) is assigned a record number as well as a sequence number that identifies whether that record has been re-used over time. When records have only been used once, i.e. their sequence number is “1”, their record numbers normally increase sequentially in the order in which files and folders were created, regardless of their associated dates and times.

$LogFile

The $LogFile (NTFS Log) metafile is a file system transaction log that provides NTFS with redo and undo functionality by using unique identifiers for transactions called LSNs (Log Sequence Numbers). In other words, the $LogFile keeps track of file system transactions so they can be redone, or undone, if necessary. The $LogFile is a critical part of NTFS’s journaling functionality which reduces the likelihood of corruption to the file system’s core in the event of system crashes. LSNs normally increase sequentially (occurring in the order in which changes to files, folders, and their metadata happen) regardless of their associated dates and times.

$Secure

The $Secure metafile contains security descriptors used by NTFS to control access to files and folders. Access control information found in security descriptors identifies who can access objects and how. Each security descriptor is associated with a SecurityId for more efficient reference by other NTFS metafiles which include the $MFT, $LogFile, and $UsnJrnl. SecurityIds normally increase sequentially in the order in which they were added to the $Secure metafile, regardless of the dates and times associated with the operating system responsible for adding them.

$UsnJrnl

The $UsnJrnl (Update Sequence Number Journal or Change Journal) metafile is an optional file system transaction log maintained by NTFS and made available to third-party applications. The $UsnJrnl essentially stores a subset of information stored by the $LogFile in a more human-friendly way. $UsnJrnl records are identified using USNs (Update Sequence Numbers). USNs normally increase sequentially (occurring in the order in which changes to files, folders, and their metadata happen) regardless of their associated dates and times.

Event Logs

Event logs are diagnostic files maintained by Microsoft Windows ("Windows") and certain applications. Depending on how Windows is configured, it may be possible to determine when the system started and stopped, when users logged in and out, when software applications were installed and removed, and much more. Each event in an event log is assigned a RecordNumber or EventRecordID (depending on the version of Windows - “Event Logging” or “Windows Event Log”) which normally increases sequentially, regardless of the dates and times associated with that event.