Eyes on NTFS
Eyes on NTFS allows you to operate NTFS's Change Journal. The Change Journal is a database that contains a list of every change made to the files or directories on an NTFS 5.0 volume, that is, the Change Journal is a log file.
The structure of Change Journal's record includes USN, Reason, Filename, ParentFileReferenceNumber and TimeStamp, etc.
Let me explain them to you:
1. USN is ID
2. Reason is why the record is written, say, 'create'
3. Filename is merely name without path
4. ParentFileReferenceNumber is a foreign key to file's path
5. TimeStamp is the time when event happens
With this information, we can know what happened to a file, the only problem is where to find the path of the file. There is no simple/easy way to get there as far as I know. Let's face it, NTFS is not a RDBMS, we can't use one 'select' sentence from relevant tables to get all we need.
Sometimes, you may have done a series of operations on files and probably one of them is wrong, but after a short time, you couldn't remember where the file is and you don't want to roll back all the operations by using 'Undo' provided by the Explorer, because most operations are what you want. At such times, this tool might help.
Anyway, some real time anti-virus software may use this technique.
The license of this software is Free, you can free download and free use this disk management software.