Name
Abstract | ||
|---|---|---|
File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content. |
Year | DOI | Venue |
|---|---|---|
2019 | 10.1016/j.diin.2019.07.004 | Digital Investigation |
Keywords | Field | DocType |
Digital forensics,ReFS,File system | Data mining,File system,Digital forensics,Computer science,ReFS,File carving,exFAT,Windows Server,Abstraction layer,Database,Backup | Journal |
Volume | ISSN | Citations |
30 | 1742-2876 | 3 |
PageRank | References | Authors |
0.43 | 0 | 4 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Rune Nordvik | 1 | 5 | 1.85 |
| Henry Georges | 2 | 3 | 0.43 |
| Fergus Toolan | 3 | 5 | 1.85 |
| stefan axelsson | 4 | 10 | 5.94 |