Forensic analysis of ReFS journaling

Abstract

Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system. In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN_RECORD_V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes. (c) 2021 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).