ZFS Timeline Digital Forensics

Honours Thesis

My Honours(Computer Science) studies at Victoria University, supervised by AProf. Hao Shi, submitted January 2015.

Abstract

During forensic analysis of computer systems, it is often necessary to construct a chronological account of events, including when files were created, modified, accessed and deleted. Timeline analysis is the process of collating and analysing this data, using timestamps from the filesystem and other sources such as log files and internal file metadata.

The Zettabyte File System (ZFS) uses a novel and complex structure to store file data and metadata across multiple devices. Due to the unusual structure and operation of ZFS, many existing forensic tools and techniques cannot be used to analyse ZFS filesystems.

In this project, it has been demonstrated that four of the internal structures of ZFS can be used as effective sources of timeline information. Methods to extract these structures and use them for timeline analysis are provided, including algorithms to detect falsified file timestamps and to determine when individual blocks of file data were last modified.

Downloads

BSDCan 2014 Presentation

This is from the main part of my honours research. "Forensic Timestamp Analysis of ZFS" was presented 14 May 2014 at BSDCan, University of Ottowa, Canada.

Adding ZFS Events to a Super-Timeline

My article "Adding ZFS Events to a Super-Timeline" on practical implementation and use of my ZFS research was published in Digital Forensics Magazine, Issue 20, August 2014.

ZFS/ZDB Plaso Parsers

Source code for the ZFS/ZDB Parsers is now hosted on GitHub.

These parsers process output from the ZFS Debugger (ZDB) to generate events for the Plaso super-timeline software from internal ZFS objects and metadata.

The readme.txt includes changelog, installation and usage instructions etc.