Microsoft Windows Vista and Windows Server 2003 was introduced CLFS log framework for efficient performance. To create store and reading log it provides applications with and API use – available in clfsw32.dll. This format is not widely used or documented, for this purpose there is no tool available to analyze these CLFS log files. Attackers have the opportunity to hide their data as log records in an advantageous way because they can access it through API functions. This is similar in nature to malware which may rely, for example, on Windows Registry or NTFS Extended Attributes to hide their data, which also allow locations to store and restore binary data with the help of windows API. Microsoft Windows, CLFS is notably used by the Kernel Transaction Manager (KTM) for both Transactional NTFS (TxF) and Transactional Registry (TxR) operations. These permit applications to do a number of changes on the filesystems or registry, all grouped in a single transaction that can be committed or rolled back. For example, to open a registry key in a transaction, the functions RegCreateKeyTransacted(), RegOpenKeyTransacted(), and RegDeleteKeyTransacted() are available. Enrollment of these transactions is stored in dedicated files with the name <hive><GUID>.TMContainer<number>.regtrans-ms or <hive><GUID>.TxR.<number>.regtrans-ms. CLFS containers that are referenced in a master.blf It can be found in various locations including user profile directories.