File System Forensic Analysis
Building intelligence for software defined data centers: modeling usage patterns
Proceedings of the 6th International Systems and Storage Conference
Hi-index | 0.00 |
ZFS is a relatively new, open source file system designed and developed by Sun Microsystems. The stated intent was to develop ''...a new kind of file system that provides simple administration, transactional semantics, end-to-end data integrity, and immense scalability'' (OpenSolaris community). Its functionality, architecture, and disk layout take a relatively radical departure from many commonly used file systems (e.g. FAT, NTFS, EXT2/3, UFS, HFS+, etc.). Since file systems play a very important role in how and where data are stored, as well as the likelihood of their retrieval during digital forensic investigations, it is important that forensics researchers and practitioners understand ZFS and its forensic implications. That is the goal of this article. We first provide the reader with a primer of sorts about ZFS, which lays the foundation for our discussion of ZFS forensics. We then present the results of our analysis of ZFS functionality, architecture, and disk layout - identifying and discussing several digital forensic artifacts and challenges unique to ZFS.