ZFS Timeline Digital Forensics
Honours Thesis
My Honours(Computer Science) studies at Victoria University, supervised by AProf. Hao Shi, submitted January 2015.
Abstract
During forensic analysis of computer systems, it is often necessary to construct a chronological account of events, including when files were created, modified, accessed and deleted. Timeline analysis is the process of collating and analysing this data, using timestamps from the filesystem and other sources such as log files and internal file metadata.
The Zettabyte File System (ZFS) uses a novel and complex structure to store file data and metadata across multiple devices. Due to the unusual structure and operation of ZFS, many existing forensic tools and techniques cannot be used to analyse ZFS filesystems.
In this project, it has been demonstrated that four of the internal structures of ZFS can be used as effective sources of timeline information. Methods to extract these structures and use them for timeline analysis are provided, including algorithms to detect falsified file timestamps and to determine when individual blocks of file data were last modified.
Downloads
Full Thesis: "Forensic Timeline Analysis of the Zettabyte File System" (PDF; 111 body pages; 175 total pages) Submitted 16 January 2015.
BSDCan 2014 Presentation
This is from the main part of my honours research. "Forensic Timestamp Analysis of ZFS" was presented 14 May 2014 at BSDCan, University of Ottowa, Canada.
Adding ZFS Events to a Super-Timeline
My article "Adding ZFS Events to a Super-Timeline" on practical implementation and use of my ZFS research was published in Digital Forensics Magazine, Issue 20, August 2014.
ZFS/ZDB Plaso Parsers
Source code for the ZFS/ZDB Parsers is now hosted on GitHub.
These parsers process output from the ZFS Debugger (ZDB) to generate events for the Plaso super-timeline software from internal ZFS objects and metadata.
The readme.txt includes changelog, installation and usage instructions etc.