Forensic analysis of ReFS journaling
- Authors
- Lee, Seonho; Park, Jungheum; Hwang, Hyunuk; Lee, Seungyoung; Lee, Sangjin; Jeong, Doowon
- Issue Date
- 10월-2021
- Publisher
- ELSEVIER SCI LTD
- Keywords
- File system; Journaling; Logfile; ReFS; Transaction
- Citation
- FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, v.38
- Indexed
- SCIE
SCOPUS
- Journal Title
- FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION
- Volume
- 38
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/136288
- DOI
- 10.1016/j.fsidi.2021.301136
- ISSN
- 2666-2817
- Abstract
- Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system. In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN_RECORD_V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes. (c) 2021 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - School of Cyber Security > Department of Information Security > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.