This project has moved. For the latest updates, please go here.

Hidden partition existence exposed in Widows "NTFS Operational Log" event log

Topics: Technical Issues
Jan 10 at 6:53 PM
(my apologies if this is the wrong forum or has been covered previously)


Informational events in "NTFS Operational Log" record the free space in volumes.
The same Volume guid is used for the outer and hidden volumes.
The size incongruity clearly indicates the existence of a hidden volume.

The different free space size, may not be noticed if the hidden volume is very small and the event time stamps are different enough to indicate anything other than typical/system file writing.

Am I misunderstanding this or are there “best practices” to overcome this?
Deleting that event log may indicate overt efforts to hide the evidence.


Example of a 75GB encrypted partition with a 38 GB hidden partition
"NTFS Operational Log" -- Microsoft-Windows-Ntfs%4Operational.evtx

Outer encrypted volume mounted event ID: 142
Summary of disk space usage, since last event:

           Lowest free space in bytes: 75467919360
           Highest free space in bytes: 75467919360
           Page file size in bytes: 0
           Volume guid: {78828d14-2f18-11e6-8108-c4e984dc0855}
           Volume name: N:
           Is boot volume: false
Hidden volume mounted event ID: 142
Summary of disk space usage, since last event:

           Lowest free space in bytes: 38057033728
           Highest free space in bytes: 38057033728
           Page file size in bytes: 0
           Volume guid: {78828d14-2f18-11e6-8108-c4e984dc0855}
           Volume name: N:
           Is boot volume: false
Jan 11 at 1:15 AM
Windows OS and third party applications are known to data leak your activity, files accessed, etc.

The only solution is to perform system encryption.