AbstractIntroductionMethodologyInitial ComparisonReFS MBRReFS VBRFSRSMACE TimesReFS Metadata BlockReFS MFTReFS Folder Naming ProcessDrive LabelsRecycle BinDesktop.ini FileSecurity IdentifierFolder Analysis.doc Analysis.txt Analysis.exe AnalysisReferencesAboutMisc ForensicsCPU Reballing Stencils

References

Association of Chief Police Officers (2012) Good Practice Guide for Computer-Based Electronic Evidence

Arghire, I. (2012) Windows 8's ReFS Won't Initially Support Boot. [online] Available at: http://news.softpedia.com/news/Windows-8-ReFS-Won-t-Initially-Support-Boot-247156.shtml [Accessed 10th Feb 2015].

Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H., Bairavasundaram, L.N., Goodson, G.R., Schroeder, B. (2008) An Analysis of Data Corruption in the Storage Stack.

Bright, P. (2012) Microsoft introduces new robust "Resilient File System" for Windows Server 8. [online] Available at: http://arstechnica.com/information-technology/2012/01/microsoft-introduces-new-robust-resilient-file-system-for-windows-server-8/ [Accessed 3rd Jan 2015].

Buchholz, F. (2006) The structure of a PKZip file. [online] Available at: https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html [Accessed 12th Feb 2015].

Bunting, S. (2008) EnCase computer forensics. Indianapolis, Ind.: Wiley Pub.

Carrier, B. (2005) File System Forensic Analysis. Boston, Mass.: Addison-Wesley.

Carpio, R.P. (2012) Understanding SIDs. [online] Available at: http://rpcarpio.blogspot.co.uk/2012/11/deciphering-sids.html [Accessed 11th Feb 2015].

Christiansen, N.R., Garson, M.S., Mehra, K., Ou-Yang, D. and Thind, S.R. (2012) File System Recognition Structure. US Patent Office, Patent No.: US8200895 B2. [online] Available at: http://www.google.co.uk/patents/US8200895 [Accessed 7th Jan 2015].

Dempsey, J.D. (2012) Decoding Directory Data

ISO/IEC 27037:2012, (2012) Guidelines for identification, collection, acquisition and preservation of digital evidence

Leschke, T.R. (2009) Cyber Dumpster-Diving: $Recycle.Bin Forensics for Windows 7 and Windows Vista

Lucas, M. (2013) Windows Server 2012: Does ReFS replace NTFS? When should I use it? [online] Available at: http://blogs.technet.com/b/askpfeplat/archive/2013/01/02/windows-server-2012-does-refs-replace-ntfs-when-should-i-use-it.aspx [Accessed 4th Jan 2015].

Machor, M. (2008) The Forensic Analysis of the Microsoft Windows Vista Recycle Bin

Mayer, K. (2012) Improve File Server Data Resiliency with ReFS in Windows Server 2012 - 31 Days of Favorite Features in #WinServ 2012 ( Part 15 of 31 ) [online] Available at: http://blogs.technet.com/b/keithmayer/archive/2012/10/15/refs-in-windows-server-2012.aspx [Accessed 3rd Jan 2015].

Metz, J. (2013) Resilient File System (ReFS) - Analysis of the Windows Resilient File System

Microsoft, (2007) Recovering NTFS Boot Sector on NTFS Partitions. [online] Available at: http://support.microsoft.com/kb/153973[Accessed 18th Jan 2015].

Microsoft, (2011) FILE_SYSTEM_RECOGNITION_STRUCTURE structure. [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/dd442654(v=vs.85).aspx [Accessed 7th Jan 2015].

Microsoft, (2012) Building the next generation file system for Windows: ReFS. [online] Available at: http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx [Accessed 4th Jan 2015].

Microsoft, (2013a) Resilient file system. [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/hh848060(v=vs.85).aspx [Accessed 3rd Jan 2015].

Microsoft, (n.d.a) 5 Appendix A: Product Behavior [online] Available at: https://msdn.microsoft.com/en-us/library/ff469400.aspx [Accessed 9th Feb 2015].

Microsoft, (n.d.b) Master Boot Record. [online] Available at: https://technet.microsoft.com/en-us/library/cc976786.aspx [Accessed 4th Jan 2015].

Microsoft, (n.d.c) Obtaining File System Recognition Information. [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/dd442656(v=vs.85).aspx [Accessed 7th Jan 2015].

Microsoft, (n.d.d) File System Recognition. [online] Available at: https://msdn.microsoft.com/en-gb/library/windows/desktop/dd442652(v=vs.85).aspx [Accessed 7th Jan 2015].

Microsoft, (n.d.e) Security Descriptors. [online] Available at: https://msdn.microsoft.com/en-us/library/windows/hardware/ff556612(v=vs.85).aspx [Accessed 28th Jan 2015].

Microsoft, (n.d.f) Understanding SIDs. [online] Available at: http://support.microsoft.com/kb/243330/ [Accessed 11th Feb 2015].

Ntfs.com, (n.d.a) Hard Drive Partition. Partition Table. [online] Available at: http://www.ntfs.com/partition-table.htm [Accessed 5th Jan 2015].

Ntfs.com, (n.d.b) NTFS File Types. NTFS File Attributes. [online] Available at: http://ntfs.com/ntfs-files-types.htm [Accessed 7th Feb 2015].

Refs-data-recovery.com (n.d.) New Features in ReFS. [online] Available at: http://www.refs-data-recovery.com/new-features-in-refs.aspx [Accessed 3rd Jan 2015].

Sedory, D. (2009) A Disk Editor View of the NTFS Boot Sector and "Bootstrap Code" for Windows™ 2000 and XP. [online] Available at: http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm [Accessed 8th Jan 2015].

Tilbury, C. (2011) NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files. [online] Available at: http://digital-forensics.sans.org/blog/2011/09/20/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files [Accessed 8th Feb 2015].

Wlodarz, D. (2014) Windows Storage Spaces and ReFS: Is it time to ditch RAID for good? [online] Available at: http://betanews.com/2014/01/15/windows-storage-spaces-and-refs-is-it-time-to-ditch-raid-for-good/ [Accessed 3rd Jan 2015].

Wpathulin, (2013) Interpretation of NTFS Timestamps [online] Available at: http://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/ [Accessed 11th Jan 2015].