Forensic analysis of ReFS journaling

Seonho Lee, Jungheum Park, Hyunuk Hwang, Seungyoung Lee, Sangjin Lee, Doowon Jeong

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)

Abstract

Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system. In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN_RECORD_V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes.

Original languageEnglish
Article number301136
JournalForensic Science International: Digital Investigation
Volume38
DOIs
Publication statusPublished - 2021 Oct

Bibliographical note

Publisher Copyright:
© 2021 The Authors

Keywords

  • File system
  • Journaling
  • Logfile
  • ReFS
  • Transaction

ASJC Scopus subject areas

  • Information Systems
  • Medical Laboratory Technology
  • Law
  • Pathology and Forensic Medicine
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Forensic analysis of ReFS journaling'. Together they form a unique fingerprint.

Cite this