Forensic Analysis of the Resilient File System (ReFS) Version 3.4
Prade P, Groß T, Dewald A (2019)
Publication Language: English
Publication Type: Other publication type
Publication year: 2019
Series: Technical reports / Department Informatik
URI: https://opus4.kobv.de/opus4-fau/files/12526/refs_report.pdf
DOI: 10.25593/issn.2191-5008/CS-2019-05
Open Access Link: https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/12526
Abstract
ReFS is a modern file system that is developed by Microsoft and its internal structures and behavior is not officially documented. Even so there exist some analysis efforts in deciphering its data structures, some of these findings have yet become deprecated and cannot be applied to current ReFS versions anymore. In this work, general concepts and internal structures found in ReFS are examined and documented. Based on the structures and the processes by which they are modified, approaches to recover (deleted) files from ReFS formatted file systems are shown. We also evaluated our implementation and the allocation strategy of ReFS with respect to accuracy, runtime and the ability to recover older file states. In addition, we extended The Sleuth Kit allowing it to parse ReFS partitions and build a carver based on that extend The Sleuth Kit.
Authors with CRIS profile
Involved external institutions
Germany (DE)How to cite
APA:
Prade, P., Groß, T., & Dewald, A. (2019). Forensic Analysis of the Resilient File System (ReFS) Version 3.4.
MLA:
Prade, Paul, Tobias Groß, and Andreas Dewald. Forensic Analysis of the Resilient File System (ReFS) Version 3.4. 2019.
BibTeX: Download