AbstractIntroductionMethodologyInitial ComparisonReFS MBRReFS VBRFSRSMACE TimesReFS Metadata BlockReFS MFTReFS Folder Naming ProcessDrive LabelsRecycle BinDesktop.ini FileSecurity IdentifierFolder Analysis.doc Analysis.txt Analysis.exe AnalysisReferencesAboutMisc ForensicsCPU Reballing Stencils

Introduction

From a computer forensics point of view, there is very little information about Microsoft's Resilient File System (ReFS). Information about other file systems such as NTFS and FAT can be found with relative ease, but for ReFS (released in 2012) there is very little to be found. One particular website dedicated to forensics (www.forensicswiki.org) lists ReFS on their page of "Articles that need to be expanded". This page consists of 5 external links and the following text: "The Resilient File System (ReFS) (AKA Protogon) was introduced in Windows 8." As this specialist site has a lack of information, it further highlights the need for research in this area.

As a result of this lack of research and information about ReFS, this project has been undertaken with the objective to identify relevant information and aid computer professionals in their understanding of the file system.

Background

Before starting the project, background research and reading was required. Summarised below is some of the useful information which was discovered before undertaking the project.

-          The default cluster size in ReFS is 64KB (Microsoft, n.d.a).

-          ReFS currently isn't bootable.

-          ReFS uses a mechanism called "Copy On Write" (Refs-data-recovery.com, n.d.). This mechanism means that ReFS will not simply modify the metadata and content, it will make a copy and write new metadata to a different location (Bright, 2012). This prevents Torn Writes. Torn Writes are when data is only partially written, but it is reported that it has completed successfully (Arpaci-Dusseau et al., 2008).

-          A FAT partition can be converted to NTFS by using the "convert" command. There is currently no available command to convert to ReFS. The data has to be manually copied/moved to a ReFS drive.

-          ReFS uses 512 bytes per sector.

-          ReFS uses B+ Trees as the on-disk structure for storing information which is a different storage engine than the one that NTFS uses (Microsoft, 2012).

 

Benefits of ReFS

ReFS has been introduced by Microsoft with the intention to eventually replace NTFS. Some predict this could even happen by 2020 (Wlodarz, 2014). Currently ReFS can't be used as a bootable drive, nor can it be used on removable media. It has been designed for storing vast amounts of data while providing greater data availability and reliability than NTFS, thus meaning less risk associated with storing data.

Microsoft lists the key features of ReFS as follows (Microsoft, 2013a):

-         Integrity

o   This includes the protection of data. File system metadata is always protected and user data can be protected on a per-volume/directory/file basis. ReFS can automatically detect and correct data corruption. Also ReFS is designed to recover from errors quickly without the loss of any user data. Integrity is maintained through the use of checksums.

-          Availability

o   While repairing corrupted data, ReFS will remain online and data will be available throughout.

-          Scalability

o   Future proof - ReFS is designed for enormous data sets.

-          App Compatibility

o   ReFS supports widely adopted Win32 APIs.

-          Proactive Error Identification

o   A data integrity scanner will scan the volume and if found, will identify and repair any data corruption.

While also being compatible with useful and widely used NTFS features, ReFS is phasing out many others which aren't as widely used (Microsoft, 2012). This should make for a more streamlined file system. The file system will repairs errors "on-the-go", meaning the user will never need to run a "chkdsk" again, as this is done automatically. As well as preventing errors in this way, the aim if for ReFS to have 100% online time, meaning there is never any time that data is unavailable. Data will be verified and error free. Torn writes will be prevented as ReFS will never write anything in place. This will be achieved by using a Copy-On-Write feature.

The file system will be scalable and future-proof. For example volumes can be up to a "Yottabyte", or a quadrillion gigabytes in size (Mayer, 2012). Microsoft knows that data sets are going to continue getting larger and larger and ReFS has been developed to handle the incredibly large data sets of tomorrow. Not only will it allow large volume sizes, but also large file and directory sizes are supported. The file system has been developed especially to work hand in hand with another Microsoft product: Storage Spaces.

 

Limitations of ReFS

Some features from NTFS are not included in Resilient File System and some people would call these limitations. Potential limitations of ReFS include:


ReFS Volumes can't be shrunk