logflip documentation

logflip reconstructs the NTFS $STANDARD_INFORMATION timestamps a record carried before it was stomped, by walking the NTFS $LogFile undo chain backward, then corroborates that reconstruction across three independent forensic channels before it will call anything tampering.

Its defining property is restraint. It returns clean, provisional, or anomaly, and reaches confirmed only when a signed fingerprint database, a real engagement key, and every corroboration gate agree. It is built to be wrong on the side of silence, never on the side of a false accusation.

Timestomping forges a file MACE timestamps to hide when it was really created or modified. It is one of the oldest moves in the anti-forensics playbook, and one of the hardest to disprove after the fact. The $STANDARD_INFORMATION timestamps an investigator reads today are simply whatever the attacker last wrote; the original values are gone from the attribute itself.

They are not gone from the journal. NTFS records the before image of many metadata operations in $LogFile as undo data, precisely so the volume can roll back an interrupted transaction. logflip turns that recovery mechanism into a forensic one: it replays the undo chain in reverse to reconstruct the pre-tamper attribute state.

A second, independent signal lives in the timestamp pair. $FILE_NAME is updated only at create, rename, and reparent, not on content or attribute edits, so a divergence between it and $STANDARD_INFORMATION is a screen for SI-only stomps. It is a necessary condition for many tools, not sufficient for attribution, because many legitimate files carry a nonzero delta too.

A verdict is earned by agreement, not asserted from one signal. logflip parses the image, reconstructs the pre-tamper state, then asks whether three independent channels point at the same conclusion:

• Reverse-replay inversion: the backward LSN walk that recovers pre-tamper $SI from the $LogFile undo records.
• SI-vs-FN delta: an independent source that is updated only at create, rename, and reparent. Necessary, not sufficient.
• Fingerprint-database attribution: a byte-pattern match against a signed, HMAC-verified tool-family database. The gating channel.

No public tool performs this reverse-replay of NTFS $LogFile to reconstruct pre-tamper state and identify the tampering tool family. The closest prior art, NTFS Log Tracker, reaches roughly 50 percent fidelity: it parses forward records and surfaces some timestamp evidence, but it does not perform the backward LSN walk.

The one canonical run on this site is the living proof of the invariant. The reverse replay recovered a real pre-tamper creation time, yet the verdict stayed provisional because the run uses a demo key and the shipped database is metadata-only.

• MFT record 24, tool psstomp.
• Stomped $SI: 2009-01-01T00:00:00Z (the fake the attacker wrote).
• Recovered $SI: 2026-06-07T00:38:59.2703686Z (the pre-tamper value, reconstructed). Recovered evidence is provisional only; it is never cryptographically confirmed.
• Verdict provisional, key class demo, evil confirmed false.

This documentation covers the engine end to end. Continue with the pages that interest you:

• How it works
• Never-false-confirm
• Evidence integrity
• CLI reference
• Accuracy and limits
• Autonomous agent

logflip is version v0.1.0, MIT licensed. The tool source lives at github.com/javierdejesusda/logflip-closed.