Forensic Analysis of the Resilient File System (ReFS) Version 3.4
Prade P, Groß T, Dewald A (2020)
Publication Language: English
Publication Type: Conference contribution, Conference Contribution
Publication year: 2020
Publisher: Elsevier
Conference Proceedings Title: Proceedings of the Seventh Annual DFRWS Europe
Event location: Oxford, United Kingdom
DOI: 10.1016/j.fsidi.2020.300915
Open Access Link: https://www.sciencedirect.com/science/article/pii/S266628172030010X?via=ihub
Abstract
ReFS is a modern file system that is developed by Microsoft and its internal structures and behavior is not officially documented. Even so there exist some analysis efforts in deciphering its data structures, some of these findings have yet become deprecated and cannot be applied to current ReFS versions anymore. In this work, general concepts and internal structures found in ReFS are examined and documented. Based on the structures and the processes by which they are modified, approaches to recover (deleted) files from ReFS formatted file systems are shown. We also evaluated our implementation and the allocation strategy of ReFS with respect to accuracy, runtime and the ability to recover older file states.
Authors with CRIS profile
Involved external institutions
Germany (DE)How to cite
APA:
Prade, P., Groß, T., & Dewald, A. (2020). Forensic Analysis of the Resilient File System (ReFS) Version 3.4. In Proceedings of the Seventh Annual DFRWS Europe. Oxford, United Kingdom: Elsevier.
MLA:
Prade, Paul, Tobias Groß, and Andreas Dewald. "Forensic Analysis of the Resilient File System (ReFS) Version 3.4." Proceedings of the DFRWS 2020 EU, Oxford, United Kingdom Elsevier, 2020.
BibTeX: Download