The Forensic Implications of Microsoft’s New File System

Microsoft has announced that the server version of Windows 8 will include a new file system called the Resilient File System (ReFS).  The ReFS attempts to stay ahead of the curve of the extremely large data storage systems needed for cloud services.  Currently all versions of Windows use NTFS, a generally well regarded system that has enjoyed a long lifespan since being introduced in 1993 witn Windows NT 3.1.

File systems are extremely important to forensic examiners, as we and our software rely on the ability to utilize the disk outside of the normal limits of the file system.  This means being able to both (i) utilize the file system in order to see the files as the user sees them and (ii) ignore the file system to examine the contents of the unallocated clusters that the operating system has forgotten but are still on the disk.  In other words a new file system means a lot of reverse engineering on the part of computer forensic software companies and retraining on the part of examiners.

Does this mean that a computer forensic examiner is likely to see a ReFS file system anytime soon?  No.  The file system is not supported on removable media and is pointless for systems containing only a single drive or small disk arrays.  One of the big leaps in NTFS was that all the key numbers were 32 bits in length in keeping with the then-new standardization on 32 bit operating systems.  Now that operating systems are all standardizing on 64 bit, ReFS has all key numbers stored in 64 bit integers.  This allows the maximum size of a single file to be 15 Exabytes (roughly a million terabytes) and a maximum volume size of one yoyibyte (roughly a billion terrabytes).  This is a file system for cloud data centers, a category of computing for which the traditional whole disk imaging approach to forensics has already become impractical.  Still there is nobody so consistently proven wrong than the one who says ‘that will never be seen on the desktop’.

From Microsoft’s description, it appears that ReFS borrows fom many of the concepts of the WinFS that was initially part of Windows Vista but later delayed and dropped.  It treats the file system as essentially one large relational database, including the data itself.   This allows much more efficient searching and extensibility of file metadata.  It also completely abstracts the disks themselves, managing and correcting for striping and mirroring of data across the drives, systems, and controllers and allowing new drives, systems, and controllers to be added and removed dynamically including dynamic recovery.  To put it another way, it should never be necessary to take down a file system.  Needless to say, such dynamic redundancy is only possible if you have the number of drives, systems, and controllers found in a massive data center.  You can’t ‘image’ such a data center.  Not only is it impractical from the standpoint of time and number of disks, but would in most conceivable scenarios be violating the privacy of many people who are not the subject of the investigation.

ReFS and the size and complexity of the data storage systems it enables may be the final element in pushing computer forensics entirely into working with live system forensics.

Permanent link to this article:

Leave a Reply

Your email address will not be published.