Digital forensic implications of ZFS

  • Authors:

  • Nicole Lang Beebe;Sonia D. Stacy;Dane Stuckey

  • Affiliations:

  • Dept. of Information Systems & Technology Management, The University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA;Dept. of Information Systems & Technology Management, The University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA;Dept. of Information Systems & Technology Management, The University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA

  • Venue:
  • Digital Investigation: The International Journal of Digital Forensics & Incident Response
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

ZFS is a relatively new, open source file system designed and developed by Sun Microsystems. The stated intent was to develop ''...a new kind of file system that provides simple administration, transactional semantics, end-to-end data integrity, and immense scalability'' (OpenSolaris community). Its functionality, architecture, and disk layout take a relatively radical departure from many commonly used file systems (e.g. FAT, NTFS, EXT2/3, UFS, HFS+, etc.). Since file systems play a very important role in how and where data are stored, as well as the likelihood of their retrieval during digital forensic investigations, it is important that forensics researchers and practitioners understand ZFS and its forensic implications. That is the goal of this article. We first provide the reader with a primer of sorts about ZFS, which lays the foundation for our discussion of ZFS forensics. We then present the results of our analysis of ZFS functionality, architecture, and disk layout - identifying and discussing several digital forensic artifacts and challenges unique to ZFS.