Windows Resilient File System Forensics

Ken Mizota

In the fall of 2012, Microsoft made Windows Server 2012 generally available with a quietly announced feature: Resilient File System (ReFS). Of course, Microsoft does not roll out new file systems casually, and when they do, the ripple effects are generally felt slowly. NTFS has been generally available since Windows NT 3.1, released in 1993. If one runs a data center of any size, swapping out the underlying file system of critical or precious data is not a decision taken lightly. In large part, this justifies a general complacence in our field of digital forensics tools when considering how to deal with this new file system. Today, ReFS is a rare bird: investigators just don’t see it very often. We think that is going to begin to change later this year.


As of today, ReFS is only available in Windows Server 2012. However, starting in Windows 8.1, currently slated for release in October 2013, ReFS is expected to be part of the flagship Windows desktop OS. Pre-release builds confirm this addition. What does this mean to digital investigators? Simply put, unless you relish the act of file system introspection, your digital forensic tools should perform the duty of parsing ReFS formatted devices. EnCase Version 7.08 brings support for parsing, browsing, and analyzing ReFS formatted devices.

Before we go any further, I’ll share a bit of history on ReFS. ReFS is built for storing data, and lots of it. ReFS is built to scale to 262,000 exabytes per volume, containing 18 quintillion files per volume. Compare this with NTFS which is built to handle only 16 Exabytes, and you begin to see the intent and audience for the file system: organizations and people who have tons of data. If you have a lot of data, your primary concern after storing it is certainly keeping it. Integrity needs to be maintained. Windows ReFS is not just built to store, but also makes it simpler to maintain the integrity of precious data.

There’s somewhat scant information about the guts of ReFS available for public consumption. But, what is available is scattered across a number of different sources. These should give you a taste for what we’re dealing with:
Now that you understand a bit of the back story, explaining how EnCase Version 7.08 understands ReFS is straight forward. EnCase Version 7.08 will allow you to:
  • Add ReFS formatted evidence to your case
  • View permissions, extents and file descriptions
  • Apply any EnCase analysis method:
    • File system browse
    • Raw keyword search
    • Transcript
    • Index
    • Find email
    • Expanding compound files
    • File Carver
    • And more…
Perhaps this all sounds a bit unspectacular, as it is old hat to any seasoned investigator. However, from our perspective, it is big news. ReFS is in its infancy in the datacenter today, but it is going to be available as consumer tech; likely this year. Some of the most difficult cases are those encompassing the most data, e.g. corporate file servers, child exploitation distributors and producers. Digital investigation tools need to be able to reduce the effort and time spent by investigators. Support for file systems is an absolutely fundamental way EnCase provides value to investigators.

Investigators don’t have the luxury of dictating what devices to investigate. By the time a ReFS image hits an investigator’s desk, if the tools don’t support ReFS, it’s probably too late. We don’t want that to happen, and we hope our efforts to support ReFS works to avoid putting investigators in that quandary.

We’re looking forward to releasing EnCase Version 7.08 to the public, and I’m interested to hear your experience or commentary on ReFS, or really any other file system for that matter. If file systems lay the pavement on the road for the investigator, where are your tools currently failing to provide that surface?

No comments :

Post a Comment