Detailed Information

Cited 0 time in webofscience Cited 0 time in scopus
Metadata Downloads

Forensic analysis of ReFS journaling

Authors
Lee, SeonhoPark, JungheumHwang, HyunukLee, SeungyoungLee, SangjinJeong, Doowon
Issue Date
10월-2021
Publisher
ELSEVIER SCI LTD
Keywords
File system; Journaling; Logfile; ReFS; Transaction
Citation
FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, v.38
Indexed
SCIE
SCOPUS
Journal Title
FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION
Volume
38
URI
https://scholar.korea.ac.kr/handle/2021.sw.korea/136288
DOI
10.1016/j.fsidi.2021.301136
ISSN
2666-2817
Abstract
Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system. In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN_RECORD_V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes. (c) 2021 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
Files in This Item
There are no files associated with this item.
Appears in
Collections
School of Cyber Security > Department of Information Security > 1. Journal Articles

qrcode

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.

Related Researcher

Researcher LEE, SANG JIN photo

LEE, SANG JIN
정보보호학과
Read more

Altmetrics

Total Views & Downloads

BROWSE