BSDCan2014 - Final

BSDCan 2014
The Technical BSD Conference

Dylan Leigh
Day Talks - Day 1 - Fri May 16 - 2014-05-16
Room Montpetit 201
Start time 10:00
Duration 01:00
ID 464
Event type Lecture
Track Security
Language used for presentation English

Forensic Timestamp Analysis of ZFS

Using ZFS Metadata to enhance timeline analysis and detect forged timestamps.

Exploring the use of the internal data structures of ZFS to provide extra sources of data for forensic timeline analysis. Several techniques to detect falsified timestamps on ZFS filesystems are demonstrated.

During forensic analysis of disks, it may be desirable to construct an account of events over time, including when files were created, modified, accessed and deleted. "Timeline analysis" is the process of collating this data, using file timestamps from the file system and other sources such as log files and internal file metadata.

ZFS uses a complex structure to store file data and metadata and the many internal structures of ZFS are another source of timeline information. This internal metadata can also be used to detect timestamps which have been tampered with by the touch command or by changing the system clock.

This presentation will discuss the internal data structures of ZFS, present new research illustrating how ZFS metadata changes over time, and demonstrate how this data can be used to detect falsified file timestamps.