Monday, January 20, 2014

An Introduction to the ReFS Forensics Adventure

This is my first post in a series of posts for my Digital Forensics Capstone. At Champlain College, each senior has the ability to chose one project and conduct cutting-edge research on it; I have chosen to do my project on Resilient File System (ReFS).

ReFS is a new file system, currently available in Windows Server 2012. The features of ReFS are said to include integrity, availability, scalability, compatibility, and proactive error identifications. The resiliency comes from its ability to survive even the most severe corruption.

I will be using a clean Windows Server 2012 virtual machine (VM) for this project. Inside this VM will be two virtual drives, one formatted as ReFS and one formatted as New Technology File System (NTFS). Additionally, I will use an external hard drive formatted as ReFS. I will image each drive using Forensic Toolkit (FTK) Imager Lite before making any changes to the drive. Once I have these baseline images I will add identical data to each of the drives and image them again.  This process will be repeated multiple times. I can then analyze these images to attempt to answer the research questions below.

Windows Server 2012 Logo, ReFS Forensics

Windows Server 2012: Main operating system being used for this project

The questions I would like to answer through my research include:
  • What does the structure of ReFS look like?
  • Are there any logs or file tables specific to ReFS?
  • What actions cause the metadata of a file to change in ReFS?
  • How does the metadata of a file on a ReFS volume compare to the metadata of a file on an NTFS volume?
  • How does a file's metadata change when it is moved from NTFS to ReFS or ReFS to NTFS?
Sources:
MSDN: Resilient File System
Building the Next Generation File System for Windows: ReFS