File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is the current file system used by Windows for the system volume, but this may change in the future. In this paper we will show the structure of the Resilient File System (ReFS), which has been available since Windows Server 2012 and Windows 8. The main purpose of ReFS is to be used on storage spaces in server systems, but it can also be used in Windows 8 or newer. Although ReFS is not the current standard file system in Windows, while users have the option to create ReFS file systems, digital forensic investigators need to investigate the file systems identified on a seized media. Further, we will focus on remnants of non-allocated metadata structures or attributes. This may allow metadata carving, which means searching for specific attributes that are not allocated. Attributes found can then be used for file recovery. ReFS uses superblocks and checkpoints in addition to a VBR, which is different from other Windows file systems. If the partition is reformatted with another file system, the backup superblocks can be used for partition recovery. Further, it is possible to search for checkpoints in order to recover both metadata and content.

Another concept not seen for Windows file systems, is the sharing of blocks. When a file is copied, both the original and the new file will share the same content blocks. If the user changes the copy, new data runs will be created for the modified content, but unchanged blocks remain shared. This may impact file carving, because part of the blocks previously used by a deleted file might still be in use by another file. The large default cluster size, 64 KiB, in ReFS v1.2 is an advantage when carving for deleted files, since most deleted files are less than 64 KiB and therefore only use a single cluster. For ReFS v3.2 this advantage has decreased because the standard cluster size is 4 KiB.

Preliminary support for ReFS v1.2 has been available in EnCase 7 and 8, but the implementation has not been documented or peer-reviewed. The same is true for Paragon Software, which recently added ReFS support to their forensic product. Our work documents how ReFS v1.2 and ReFS v3.2 are structured at an abstraction level that allows digital forensic investigation of this new file system. At the time of writing this paper, Paragon Software is the only digital forensic tool that supports ReFS v3.x.

It is the most recent version of the ReFS file system that is most relevant for digital forensics, as Windows automatically updates the file system to the latest version on mount. This is why we have included information about ReFS v3.2. However, it is possible to change a registry value to avoid updating. The latest ReFS version observed is 3.4, but the information presented about 3.2 is still valid. In any criminal case, the investigator needs to investigate the file system version found.

文件系统取证是数字取证的重要组成部分。传统上，存储介质的研究人员专注于最常用的文件系统，例如NTFS，FAT，ExFAT，Ext2-4，HFS +，APFS等。NTFS是Windows用于系统卷的当前文件系统，但这可能会改变在将来。在本文中，我们将展示弹性文件系统（ReFS）的结构，该文件结构自Windows Server 2012和Windows 8起就可以使用。ReFS的主要用途是在服务器系统中的存储空间上使用，但也可以在Windows 8或更高版本中使用。尽管ReFS不是Windows中当前的标准文件系统，但用户可以选择创建ReFS文件系统，但数字取证调查员需要调查在占用的媒体上标识的文件系统。进一步，我们将重点关注未分配的元数据结构或属性的剩余部分。这可能允许元数据雕刻，这意味着搜索未分配的特定属性。找到的属性随后可用于文件恢复。ReFS除了VBR外还使用超级块和检查点，这不同于其他Windows文件系统。如果将分区重新格式化为另一个文件系统，则备份超级块可用于分区恢复。此外，可以搜索检查点以便恢复元数据和内容。与其他Windows文件系统不同。如果将分区重新格式化为另一个文件系统，则备份超级块可用于分区恢复。此外，可以搜索检查点以便恢复元数据和内容。与其他Windows文件系统不同。如果将分区重新格式化为另一个文件系统，则备份超级块可用于分区恢复。此外，可以搜索检查点以便恢复元数据和内容。

Windows文件系统没有看到的另一个概念是块共享。复制文件时，原始文件和新文件都将共享相同的内容块。如果用户更改了副本，则将为修改后的内容创建新的数据运行，但是未共享的块保持共享状态。这可能会影响文件雕刻，因为先前由已删除文件使用的部分块可能仍被另一个文件使用。在雕刻已删除的文件时，ReFS v1.2中的默认群集大小较大，为64 KiB，这是一个优点，因为大多数已删除的文件都小于64 KiB，因此仅使用单个群集。对于ReFS v3.2，此优势已降低，因为标准群集大小为4 KiB。

对ReFS v1.2的初步支持已在EnCase 7和8中提供，但该实现尚未记录或经过同行审查。对于Paragon Software也是如此，该公司最近在其取证产品中增加了ReFS支持。我们的工作记录了ReFS v1.2和ReFS v3.2如何在抽象级别进行结构化，以允许对该新文件系统进行数字取证研究。在撰写本文时，Paragon Software是唯一支持ReFS v3.x的数字取证工具。

它是ReFS文件系统的最新版本，与数字取证最相关，因为Windows会自动将文件系统更新为安装时的最新版本。这就是为什么我们包含有关ReFS v3.2的信息的原因。但是，可以更改注册表值以避免更新。观察到的最新ReFS版本是3.4，但是有关3.2的信息仍然有效。在任何刑事案件中，调查人员都需要调查找到的文件系统版本。