Contemporary File System Forensic Analysis

Abstract

This work bridges the gap between traditional and contemporary file system forensic analysis by addressing the limitations of Brian Carrier's foundational 2005 workflow for file system analysis. While Carrier's model has remained the de facto standard for nearly two decades, it has neither been updated nor its applicability evaluated for file systems commonly used today, such as ZFS, BTRFS, and MooseFS. These modern file systems introduce complexities - such as pooled storage, the concept of stacked file systems, and network-enhanced functionality - that are beyond the scope of the original workflow and forensic tools like The Sleuth Kit. <br/>

To address these shortcomings, this research proposes an extended forensic workflow by introducing two new analysis steps: pool analysis and stacked file system analysis. Pool analysis enables the reconstruction and forensic examination of pooled storage file systems, while stacked file system analysis provides a framework for analyzing file systems that store their data on an underlying file system. <br/>

Furthermore, this work explores the integration of network analysis to enhance file system forensics, leveraging network protocols like SMB to reconstruct file systems and user activities from network traffic. Tools such as pcapFS and SMB Command Fingerprinting (SCF) are developed and implemented, offering novel capabilities to recover historical file versions or reconstruct user interactions. <br/>

Our findings establish the limitations of Carrier's workflow in the context of contemporary file system analysis and demonstrate the efficacy of our extended model. Thus, our work equips digital forensic analysts with the methods and tools necessary to address contemporary file systems and their challenges as well as leverage the unique features they provide.