In the meantime I have created a $LogFile parser that will among many things, retrieve and reconstruct all file location related information (dataruns, file size, etc) for any file referenced as the source of a transaction in the $LogFile: http://code.google.com/p/mft2csv/wiki/LogFileParser
That means, if you in your $LogFile have records concerning the target file, then the tool may be able to reconstruct parts of the datarun list. It is a bit tricky and this method certainly has lots of limitations. However after having tried it, you will at least with certainty know if there was any such relevant information to be found in the $LogFile. If there are any dataruns found and reconstructed for the target file, you can use this tool to extract the data with; http://mft2csv.googlecode.com/files/ExtractFromDataRun_v1.0.0.0.zip
If you did not image the drive earlier, so that the only copy of the $LogFile has been written to since then, you can probably just forget about it right away, as all history will likely be gone.
Send me a message if you have problems understanding or interpreting the output.
↧