I am nearing the end of my
semester and finishing up my Capstone project. I have made quite a bit of
progress in discovering ReFS's structure and how it compares to NTFS. Below are
my findings, including updates to the findings talked about in my post, File
Tables in ReFS.
Findings:
- There is a file table like
structure in ReFS that could be compared to NTFS. My last post, ReFS/NTFS
Comparison, shows a comparison breakdown between the two file systems.
- The beginning of each table has
MACE times associated with them. The created time for each of the
tables is the same, which could indicated that the file was copied and
then modified by the system to reflect new files being created or other
changes.
- According to Microsoft, ADS is not
supported in ReFS. While an alternate steam cannot be found on the system,
if an ADS consists of text, the text can be found in the file table.
If the text is too long for the file table, it will be pushed into
unallocated space. An ADS consisting of a file or executable is not
possible. When the command is run to make this type of ADS, the response
is "The requested operation could not be completed due to a
file system limitation."
- ReFS is not bootable. This is an
important fact because not being bootable means that it cannot be the only
volume on a system. As of right now, ReFS drives are mainly going to be
data storage devices such as drives found in servers. This is due to their
resiliency and ability to house extremely large files.
- Compared to NTFS there is
the possibility for a significantly more slack space with ReFS. This is due to the
file system defaulting to large cluster sizes. This allows for users to
hide data in slack space, the space at the end of a file before the next
cluster begins, and forensic examination tools do not always pick up on
this.
These findings will
allow investigators to be aware of where data can be hidden on a ReFS drive
and allow them to manually parse the file system to find any necessary
metadata. Future work such as analyzing RAM dumps, decoding metadata files, and
continuing to parse the file table will be important in order to fully
understand how ReFS works.
