File System Analysis Research Articles

MSCFS-RP: A Colored-Petri-Net-Based Analysis Model for Master–Slave Cloud File Systems with Replication Pipelining

As a typical information system, a cloud file system enables the storage, retrieval, and management of data on remote servers or server clusters. The reliable design of such systems is critical to ensure the security of data and availability of services. However, designing correct-by-construction systems is challenging due to the complexity of and concurrency inherent in cloud file systems. Further, existing works on cloud file system analysis often focus on specific systems or lack formal modeling and verification, leading to potential design flaws and security vulnerabilities. To address these issues, we propose MSCFS-RP, which is a formal analysis model based on colored Petri nets. Leveraging the strengths of colored Petri nets in representing diverse information types with colored tokens and defining explicit rules for concurrent interactions, our model captures the writing and reading processes of clients, meta servers, and clusters. With strong formalism and support for verification using CPN Tools, we rigorously evaluate key properties such as replication consistency under various scenarios. The results demonstrate that MSCFS-RP satisfies these properties, validating its effectiveness and trustworthiness in managing information within cloud storage systems.

Towards a practical usage for the Sleuth Kit supporting file system add-ons

Most modern digital devices with storage utilize a file system to manage files and directories. Consequently, when digital forensic investigators derive evidence from such devices, they collect and analyze data stored on them through file system analysis. However, there are numerous types of file systems, with new ones continually being developed. Each file system possesses a distinct metadata structure and file management system. Therefore, investigators must possess prior knowledge of the specific file system being examined. Nevertheless, it is challenging for practitioners to be knowledgeable about all existing file systems. To address this issue, forensic software such as The Sleuth Kit (TSK), an open-source forensic tool, is employed for investigations. However, even these tools may not offer complete support for relatively recent file systems.Hence, we propose a structure for integrating a new file system into the open-source forensic tool TSK. Additionally, to validate this proposed structure, we demonstrate that support for five file systems (Ext4, XFS, Btrfs, F2FS, and Hikvision) can be added following this framework. To achieve this, we conducted an analysis of the metadata and file management scheme for these five file systems. Furthermore, we examined the operational procedures of the TSK framework. Based on these analyses, investigation capabilities for the five file systems have been incorporated into TSK. Moreover, reliability verification experiments were conducted on the developed tools; and performance evaluation was carried out in comparison with other commercial digital forensic tools. The findings of this study can serve as a foundation for future forensic studies based on file systems. Additionally, the TSK developed based on the proposed structure can assist investigators in conducting digital forensics effectively.

Detection of «Telegram Rat» virus

Objective.The aim of this study is to analyze the «Telegram Rat» virus, emphasizing the importance of awareness to effectively combat cyber threats and ensure security in the digital age.Methods.This paper used an analysis of the characteristics and distribution of «Telegram Rat» viruses. An example of analyzing the technical mechanisms of extortion on the example of «WAGNER GROUP» was given and the steps of virus elimination were formulated.Results.The acuality of the «Telegram Rat» virus problem and ways of its transmission are considered. Practical methods of threat detection and neutralization are stipulated. The method of «Telegram Rat» virus threat detection is based on the analysis of active processes, network activity and file system. It is revealed that the main vulnerability on devices infected with the virus is careless user behavior.Conclusion.The contents of this paper emphasize the importance of vigilance when downloading files and clicking on links. Lack of caution can lead to data loss and information leakage, emphasizing the need for conscious behavior in the digital environment.

Forensic implications of stacked file systems

While file system analysis is a cornerstone of forensic investigations and has been extensively studied, certain file system classes have not yet been thoroughly examined from a forensic perspective. Stacked file systems, which use an underlying file system for data storage instead of a volume, are a prominent example. With the growth of cloud infrastructure and big data, it is increasingly likely that investigators will encounter distributed stacked file systems, such as MooseFS and the Hadoop File System, that employ this architecture. However, current standard models and tools for file system analysis fall short of addressing the complexities of stacked file systems. This paper highlights the forensic challenges and implications associated with stacked file systems, discussing their unique characteristics in the context of forensic analyses. We provide insights through three analyses of different stacked file systems, illustrating their operational details and emphasizing the necessity of understanding this file system category during forensic investigations. For this purpose, we present general considerations that must be made when dealing with the analysis of stacked file systems.

Comparative analysis of novel heat-treated retreatment file system on the removal of obturating material using nano-computed tomography.

The aim of nonsurgical retreatment is to remove the previous filling material followed by chemo-mechanical preparation of the canal to achieve proper disinfection of the root canal system. This is then followed by re-obturation. This study evaluates the time taken to retrieve the gutta-percha and the quantity of remaining filling material after retreatment with two different file systems. The quantity of remaining filling material was assessed using nano-computed tomography (CT) due to its increased accuracy. Forty extracted single-rooted teeth were split into two groups at random and decoronated and obturated at a standard root length of 16 mm. Solite RS3 (SRS-3) Retreatment and ProTaper Universal Retreatment (PTUR) systems were used to retrieve the gutta-percha after a preoperative nano-CT scan. Postoperative nano-CT scan was taken and both the scans were superimposed to quantify the remaining filling material. The time taken to remove gutta-percha was measured using a stopwatch. The statistical analysis comparing the two groups was conducted using the independent t-test. The quantitative analysis of remaining filling material using nano-CT showed no statistical difference between both the file systems used (P > 0.05). However, SRS-3 took significantly less time in the removal of gutta-percha (P < 0.05). Hence, we can conclude that there is no significant difference in the amount of remaining filling material between both the file systems. However, time taken to remove the gutta-percha was lesser in SRS-3 compared to PTUR file system.

Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14.

In this study, we propose an advanced forensic examination procedure for audio recordings generated by the Voice Memos application with iPhone Operation System (iOS)14, to verify that these are the original recordings and have not been manipulated. The proposed examination procedure consists of an analysis of the characteristics of audio recordings and of the file system of the device storing the audio recordings. To analyze the characteristics of audio recordings, we compare the encoding parameters (bitrate, sampling rate, timestamps, etc.) and the file structure to determine whether audio recordings were manipulated. Next, in the device examination step, we analyze the media-log history and temporary files of the file system obtained by mobile forensic tools. For comparative analysis, a total of 100 audio recording samples were obtained through the Voice Memos application from five iPhone mobile handsets of different models with iOS14 installed using Advanced audio coding (AAC) or Apple lossless audio codec (ALAC). As a result of analyzing the encoding parameters between the original and manipulated audio recordings, as well as the temporary files contained in the device file system, the difference in the encoding parameters and the very unique trace of the original audio recordings in the temporary files were confirmed when manipulating the audio recordings. In particular, the primary advantage of our proposed method is its potential ability to recover original audio recordings that were subsequently manipulated via the temporary files examined in the device file system analysis.

Forensic analysis of ReFS journaling

Since the analysis of file system is a fundamental step in forensic investigation, file system forensics has been steadily researched. Especially, NTFS forensics has been mainstream research as it is used by Windows, a globally most-used operating system. When investigating NTFS, journaling analysis is an important procedure as it can identify which files are created, modified, and deleted. Meanwhile, Microsoft developed the Resilient File System (ReFS), which is also used in Windows, to maximize data availability; ReFS is also expected to be a popular file system. Similar to the $Logfile and the $UsnJrnl of NTFS, there are artifacts in ReFS: the Logfile and the Change Journal that document information regarding changes to the system.In this paper, we present the structure and operation of the Logfile and the Change Journal. By kernel reverse engineering, we identify that the ReFS artifacts related to journaling are quite different from the NTFS artifacts; the ReFS artifacts use new record formats, named Log Record and USN_RECORD_V3, and the metadata of ReFS handling journaling files is distinct from that of NTFS. Through experiments, we identify logging patterns of transaction record and examine the mechanism of ReFS journaling. In this process, we enhance the knowledge of the metadata and structure of ReFS presented by previous research. Based on the result of our research, we also propose a forensic methodology of ReFS journaling and develop a tool, Awesome ReFS Investigation tool (ARIN), which is an open-source for analyzing the ReFS journal. These outcomes may provide considerable assistance to a forensic examiner trying to investigate ReFS volumes.

Holistic I/O Activity Characterization Through Log Data Analysis of Parallel File Systems and Interconnects

Holistic I/O Activity Characterization Through Log Data Analysis of Parallel File Systems and Interconnects

Gaslight revisited: Efficient and powerful fuzzing of digital forensics tools

The fields of digital forensics and incident response have seen significant growth over the last decade due to the increasing threats faced by organizations and the continued reliance on digital platforms and devices by criminals. This rise has coincided with a significant and continued increase in the size, complexity, and number of digital forensic investigations that must be performed. In the past, such investigations were performed manually by expert investigators, but this approach is no longer viable given the amount of data that must be processed compared to the relatively small number of trained investigators. These resource constraints have led to the development and reliance on automated processing and analysis systems for digital evidence. Given the central role that such evidence plays in securing organizations and nations against attacks as well as in criminal and civil legal proceedings, it is necessary that such systems are developed in a robust and reliable manner. In this paper, we present our effort to develop a stress testing platform specifically tailored to assess the robustness and reliability of digital forensics tools. For our initial testing, we chose to target The Sleuth Kit framework given its prominence as both as a standalone tool as well as a programming library that is utilized by a large number of open source and commercial filesystem analysis systems. The results of our efforts were the automated discovery of many critical programming errors in The Sleuth Kit framework.

Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics

Advances in malware development have led to the widespread use of attacker toolkits that do not leave any trace in the local filesystem. This negatively impacts traditional investigative procedures that rely on filesystem analysis to reconstruct attacker activities. As a solution, memory forensics has replaced filesystem analysis in these scenarios. Unfortunately, existing memory forensics tools leave many capabilities inaccessible to all but the most experienced investigators, who are well versed in operating systems internals and reverse engineering. The goal of the research described in this paper is to make investigation of one of the greatest threats that organizations face, userland keyloggers, less error-prone and less dependent on manual reverse engineering. To accomplish this, we have added significant new capabilities to HookTracer, which is an engine capable of emulating code discovered in a physical memory captures and recording all actions taken by the emulated code. Based on this work, we present new memory forensics capabilities, embodied in a new Volatility plugin, hooktracer_messagehooks, that uses Hooktracer to automatically decide whether a hook in memory is associated with a malicious keylogger or benign software. We also include a detailed case study that illustrates our technique’s ability to successfully analyze very sophisticated keyloggers, such as Turla.

Forensic analysis of B-tree file system (Btrfs)

This paper identifies forensically important artifacts of B-tree file system (Btrfs), analyses changes that they incur due to node-balancing during file and directory operations, and based on the observed file system state-change proposes an evidence-extraction procedure. The findings suggested that retrieving forensic evidence in a fresh B-tree file system is difficult, the probability of evidence-extraction increases as the file system ages, internal nodes are the richest sources of forensic data, degree of evidence-extraction depends upon whether nodes are merged or redistributed, files with size less than 1 KB and greater than 4 KB have highest chances of recovery, and files with size 3–4 KB have least chances of recovery.

Forensic analysis of multiple device BTRFS configurations using The Sleuth Kit

The analysis of file systems is a fundamental step in every forensic investigation. Long-known file systems such as FAT, NTFS, or the ext family are well supported by commercial and open source forensics tools. When it comes to more recent file systems with technologically advanced features, however, most tools fall short of being able to provide an investigator with means to perform a proper forensic analysis.BTRFS is such a file system which has not received the attention it should have. Although introduced in 2007, marked as stable in 2014, and being the default file system in certain Linux distributions, there is virtually no research available in the area of digital forensics when it comes to BTRFS; nor are there any software tools capable of analyzing a BTRFS file system in a way required for a forensic analysis.In this paper we add support for BTRFS—including support for multiple device configurations—to The Sleuth Kit, a widely used toolkit when it comes to open source file system forensics. Moreover, we provide an analysis of forensically important features of BTRFS and show how our implementation can be used to utilize these during a forensic analysis.

Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis

Carrier's book File System Forensic Analysis is one of the most comprehensive sources when it comes to the forensic analysis of file systems. Published in 2005, it provides details about the most commonly used file systems of that time as well as a process model to analyze file systems in general. The Sleuth Kit is the implementation of Carrier's model and it is still widely used during forensic analyses today—standalone or as a basis for forensic suites such as Autopsy.While The Sleuth Kit is still actively maintained, the model has not seen any updates since then. Moreover, there is no support for modern file systems implementing new paradigms such as pooled storage.In this paper, we present an update to Carrier's model which enables the analysis of pooled storage file systems. To demonstrate that our model is suitable, we implemented it for ZFS—a file system for large scale storage, cloud, and virtualization environments—and show how to perform an analysis of this file system using our model and extended toolkit.

Promises and Challenges of Big Data Computing in Health Sciences

With the development of smart devices and cloud computing, more and more public health data can be collected from various sources and can be analyzed in an unprecedented way. The huge social and academic impact of such developments caused a worldwide buzz for big data. In this review article, we summarized the latest applications of Big Data in health sciences, including the recommendation systems in healthcare, Internet-based epidemic surveillance, sensor-based health conditions and food safety monitoring, Genome-Wide Association Studies (GWAS) and expression Quantitative Trait Loci (eQTL), inferring air quality using big data and metabolomics and ionomics for nutritionists. We also reviewed the latest technologies of big data collection, storage, transferring, and the state-of-the-art analytical methods, such as Hadoop distributed file system, MapReduce, recommendation system, deep learning and network Analysis. At last, we discussed the future perspectives of health sciences in the era of Big Data. We explained the steps for Big Data projects: 1. Formulate your question; 2. Find the right ways (smart devices, Internet, hospitals ?) to collect your data; 3. Store the data; 4. Analyze your data; 5. Generate the analysis report with vivid visualization. 6. Evaluate the project: problem solved or start over. The latest applications of Big Data in health sciences were reviewed. The cutting edge computational technologies of big data collection, storage, transferring, and the state-of-the-art analytical methods were introduced. The future perspectives of health sciences in the era of Big Data were discussed.

Survey of Digital Forensics Technologies and Tools for Android based Intelligent Devices

During the rapid development of mobile wireless technologies and applications, the Android operating system, due to its open-source characteristics, has become the most popular development platform in the smartphone market. Meanwhile, as Android-based intelligent mobiles devices experience a rapid increase in numbers, high-tech crimes involving such devices have become more versatile, affecting an ever increasing amount of data, thus making digital evidence an indispensable part of the evidence that needs to be seriously dealt with during crime investigations. Consequently, understanding the internal structure of Android and the various data operations in the file systems becomes necessary in Android-based digital forensics. In this paper, we survey the state-of-the-art of technologies in Android-based digital forensics and some popular tools in the aspects of data recovery and acquisition, file system analysis and data analysis. We also discuss some technical challenges and point out future research directions in Android-based digital forensics.

Cooperative mode: Comparative storage metadata verification applied to the Xbox 360

This work addresses the question of determining the correctness of forensic file system analysis software. Current storage systems are built on theory that is robust but not invincible to faults, from software, hardware, or adversaries. Given a parsing of a storage system of unknown provenance, the lack of a sound and complete analytic theory means the parsing's correctness cannot be proven. However, with recent advances in digital forensic theory, a measure of its incorrectness can be taken.We present FSNView, an N-Version programming utility. FSNView reports exhaustively the metadata of a single disk image, using multiple storage system parsers. Each parser reports its perspective of the metadata in Digital Forensics XML, a storage language used recently in a study on differential analysis. We repurpose the tools used for studying the changes in file systems from time to the changes in file systems from perspective. The differences in metadata summaries immediately note bugs in at least one of the tools employed. Diversity in tools and their analysis algorithms strengthens the analysis of a storage subject.We apply file system differencing to study the external storage of the Microsoft Xbox 360 game console. The console's storage serves as an exemplar analysis subject; the described strategy is general to storage system analysis. The custom volume management and new-though-familiar file system are features typical to an embedded system analysis. Two open-source utilities developed solely for analyzing this game console, and a third developed for general file system forensics, are extended to compare storage system metadata perspectives. We present a new file system and revisions to the DFXML language, library, and differencing process, which were necessary to enable a principled, automatic evaluation of storage analysis tools.

A trusted versioning file system for passive mobile storage devices

Versioning file systems are useful in applications like post-intrusion file system analysis, or reliable file retention and retrievability as required by legal regulations for sensitive data management. Secure versioning file systems provide essential security functionalities such as data integrity, data confidentiality, access control, and verifiable audit trails. However, these tools build on top of centralized data repositories operating within a trusted infrastructure. They often fail to offer the same security properties when applied to repositories lying on decentralized, portable storage devices like USB flash drives and memory chip cards. The reason is that portable storage devices are usually passive, i.e., they cannot enforce any security policy on their own. Instead, they can be plugged in any (untrusted) platform which may not correctly maintain or intentionally corrupt the versioning information on the device. However, we point out that analogous concerns are also raised in those scenarios in which data repositories are hosted by outsourced cloud-based storage services whose providers might not satisfy certain security requirements.In this paper we present TVFS: a Trusted Versioning File System which stores data on untrusted storage devices. TVFS has the following features: (1) file integrity and confidentiality; (2) trustworthy data retention and retrievability; and (3) verifiable history of changes in a seamless interval of time. With TVFS any unauthorized data change or corruption (possibly resulting from being connected to an untrusted platform) can be detected when it is connected to a legitimate trusted platform again. We present a prototype implementation and discuss its performance and security properties. We highlight that TVFS could fit those scenarios where different stakeholders concurrently access and updates shared data, such as financial and e-health multiparty services as well as civil protection application systems such as hazardous waste tracement systems, where the ability to reliably keep track of documents history is a strong (or legally enforced) requirement.

Automated Analysis and Visualization of Disk Images and File Systems for Preservation

Automated Analysis and Visualization of Disk Images and File Systems for Preservation

Forensic analysis techniques for fragmented flash memory pages in smartphones

A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones.Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired.This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.

Covert Flow Graph Approach to Identifying Covert Channels

In this paper, the approach for identifying covert channels using a graph structure called Covert Flow Graph is introduced. Firstly, the construction of Covert Flow Graph which can offer information flows of the system for covert channel detection is proposed, and the search and judge algorithm used to identify covert channels in Covert Flow Graph is given. Secondly, an example file system analysis using Covert Flow Graph approach is provided, and the analysis result is compared with that of Shared Resource Matrix and Covert Flow Tree method. Finally, the comparison between Covert Flow Graph approach and other two methods is discussed. Different from previous methods, Covert Flow Graph approach provides a deep insight for system’s information flows, and gives an effective algorithm for covert channel identification.