Note:I translated Japanese into English using Google Translate.
Thank you, Google. 

Check the record of $LogFile when setting ObjectID.
E: drive used for verification is newly formatted with NTFS.

Copy the sample JPEG file to the E drive. This file does not have an ObjectID..

Using the fsutil command, create an ObjectID.

Check the contents of the FILE record with Autopsy. The FILE record number of the sample image file is 40.

Parse $LogFile.

See the parse result.

Delete the ObjectID and check $LogFile.

You can confirm that the ObjectID was deleted with DeleteAttribute.

Create ObjectID again. Different ObjectIDs were created.

In the parsing result of $LogFile, check the current value and the previous value.

 

 

Verification environment: Windows 10 1083

Reference URL:

GitHub - jschicht/LogFileParser: Parser for $LogFile on NTFS