Authors: Nicole Beebe, Ph.D. (UTSA), Sonia Mandes, and Dane Stuckey
DFRWS USA 2009
ZFS is a relatively new, open source file system designed and developed by Sun Microsystems.1 The stated intent was to develop “a new kind of file system that provides simple administration, transactional semantics, end-to-end data integrity, and immense scalability” (OpenSolaris community). Its functionality, architecture, and disk layout take a relatively radical departure from many commonly used file systems (e.g. FAT, NTFS, EXT2/3, UFS, HFSþ, etc.). Since file systems play a very important role in how and where data are stored, as well as the likelihood of their retrieval during digital forensic investigations, it is important that forensics researchers and practitioners understand ZFS and its forensic implications. That is the goal of this article. We first provide the reader with a primer of sorts about ZFS, which lays the foundation for our discussion of ZFS forensics. We then present the results of our analysis of ZFS functionality, architecture, and disk layout – identifying and discussing several digital forensic artifacts and challenges unique to ZFS.