Contemporary File System Forensic Analysis
Contemporary File System Forensic Analysis
Dokument öffnen (9.8MB)Art der Hochschulschrift
DissertationPrüfungsdatum
17.06.2025Datum der Veröffentlichung
06.08.2025Erstgutachter
Martini, PeterZweitgutachter
Padilla, ElmarMetadaten
Zur Langanzeige
Zitierbare Links 
Inhalt
This work bridges the gap between traditional and contemporary file system forensic analysis by addressing the limitations of Brian Carrier's foundational 2005 workflow for file system analysis. While Carrier's model has remained the de facto standard for nearly two decades, it has neither been updated nor its applicability evaluated for file systems commonly used today, such as ZFS, BTRFS, and MooseFS. These modern file systems introduce complexities - such as pooled storage, the concept of stacked file systems, and network-enhanced functionality - that are beyond the scope of the original workflow and forensic tools like The Sleuth Kit.
To address these shortcomings, this research proposes an extended forensic workflow by introducing two new analysis steps: pool analysis and stacked file system analysis. Pool analysis enables the reconstruction and forensic examination of pooled storage file systems, while stacked file system analysis provides a framework for analyzing file systems that store their data on an underlying file system.
Furthermore, this work explores the integration of network analysis to enhance file system forensics, leveraging network protocols like SMB to reconstruct file systems and user activities from network traffic. Tools such as pcapFS and SMB Command Fingerprinting (SCF) are developed and implemented, offering novel capabilities to recover historical file versions or reconstruct user interactions.
Our findings establish the limitations of Carrier's workflow in the context of contemporary file system analysis and demonstrate the efficacy of our extended model. Thus, our work equips digital forensic analysts with the methods and tools necessary to address contemporary file systems and their challenges as well as leverage the unique features they provide.
To address these shortcomings, this research proposes an extended forensic workflow by introducing two new analysis steps: pool analysis and stacked file system analysis. Pool analysis enables the reconstruction and forensic examination of pooled storage file systems, while stacked file system analysis provides a framework for analyzing file systems that store their data on an underlying file system.
Furthermore, this work explores the integration of network analysis to enhance file system forensics, leveraging network protocols like SMB to reconstruct file systems and user activities from network traffic. Tools such as pcapFS and SMB Command Fingerprinting (SCF) are developed and implemented, offering novel capabilities to recover historical file versions or reconstruct user interactions.
Our findings establish the limitations of Carrier's workflow in the context of contemporary file system analysis and demonstrate the efficacy of our extended model. Thus, our work equips digital forensic analysts with the methods and tools necessary to address contemporary file systems and their challenges as well as leverage the unique features they provide.
Schlagwörter
Digitale Forensik, Dateisysteme, Datenrekonstruktion, Digital Forensics, File Systems, Data Reconstruction
Klassifikation (DDC)
004 InformatikHilgert, Jan-Niclas: Contemporary File System Forensic Analysis. - Bonn, 2025. - Dissertation, Rheinische Friedrich-Wilhelms-Universität Bonn.
Online-Ausgabe in bonndoc: https://nbn-resolving.org/urn:nbn:de:hbz:5-83808
Online-Ausgabe in bonndoc: https://nbn-resolving.org/urn:nbn:de:hbz:5-83808
@phdthesis{handle:20.500.11811/13313,
urn: https://nbn-resolving.org/urn:nbn:de:hbz:5-83808,
author = {{Jan-Niclas Hilgert}},
title = {Contemporary File System Forensic Analysis},
school = {Rheinische Friedrich-Wilhelms-Universität Bonn},
year = 2025,
month = aug,
note = {This work bridges the gap between traditional and contemporary file system forensic analysis by addressing the limitations of Brian Carrier's foundational 2005 workflow for file system analysis. While Carrier's model has remained the de facto standard for nearly two decades, it has neither been updated nor its applicability evaluated for file systems commonly used today, such as ZFS, BTRFS, and MooseFS. These modern file systems introduce complexities - such as pooled storage, the concept of stacked file systems, and network-enhanced functionality - that are beyond the scope of the original workflow and forensic tools like The Sleuth Kit.
To address these shortcomings, this research proposes an extended forensic workflow by introducing two new analysis steps: pool analysis and stacked file system analysis. Pool analysis enables the reconstruction and forensic examination of pooled storage file systems, while stacked file system analysis provides a framework for analyzing file systems that store their data on an underlying file system.
Furthermore, this work explores the integration of network analysis to enhance file system forensics, leveraging network protocols like SMB to reconstruct file systems and user activities from network traffic. Tools such as pcapFS and SMB Command Fingerprinting (SCF) are developed and implemented, offering novel capabilities to recover historical file versions or reconstruct user interactions.
Our findings establish the limitations of Carrier's workflow in the context of contemporary file system analysis and demonstrate the efficacy of our extended model. Thus, our work equips digital forensic analysts with the methods and tools necessary to address contemporary file systems and their challenges as well as leverage the unique features they provide.},
url = {https://hdl.handle.net/20.500.11811/13313}
}
urn: https://nbn-resolving.org/urn:nbn:de:hbz:5-83808,
author = {{Jan-Niclas Hilgert}},
title = {Contemporary File System Forensic Analysis},
school = {Rheinische Friedrich-Wilhelms-Universität Bonn},
year = 2025,
month = aug,
note = {This work bridges the gap between traditional and contemporary file system forensic analysis by addressing the limitations of Brian Carrier's foundational 2005 workflow for file system analysis. While Carrier's model has remained the de facto standard for nearly two decades, it has neither been updated nor its applicability evaluated for file systems commonly used today, such as ZFS, BTRFS, and MooseFS. These modern file systems introduce complexities - such as pooled storage, the concept of stacked file systems, and network-enhanced functionality - that are beyond the scope of the original workflow and forensic tools like The Sleuth Kit.
To address these shortcomings, this research proposes an extended forensic workflow by introducing two new analysis steps: pool analysis and stacked file system analysis. Pool analysis enables the reconstruction and forensic examination of pooled storage file systems, while stacked file system analysis provides a framework for analyzing file systems that store their data on an underlying file system.
Furthermore, this work explores the integration of network analysis to enhance file system forensics, leveraging network protocols like SMB to reconstruct file systems and user activities from network traffic. Tools such as pcapFS and SMB Command Fingerprinting (SCF) are developed and implemented, offering novel capabilities to recover historical file versions or reconstruct user interactions.
Our findings establish the limitations of Carrier's workflow in the context of contemporary file system analysis and demonstrate the efficacy of our extended model. Thus, our work equips digital forensic analysts with the methods and tools necessary to address contemporary file systems and their challenges as well as leverage the unique features they provide.},
url = {https://hdl.handle.net/20.500.11811/13313}
}
Die folgenden Nutzungsbestimmungen sind mit dieser Ressource verbunden:
