FACULTY OF SCIENCE DEPARTMENT OF COMPUING Digital Crime Scene Investigation for the Zettabyte File System Andrew Li [email protected] Technical Report 5 June 2009 Abstract Files stored on a computer are managed by the file system of the operating system. When a computer is used to store illegal data such as child pornography, it is important that the existence of the illegal data can be proven even after the data is deleted. In this study, a new functionality is added to the Zettabyte File System (ZFS) debugger, which digs into the physical disk of the computer without using the file system layer of the operating system. This new functionality enables digital crime scene investigators to retrieve any data from the disk, including deleted files. This paper presents an explanation of ZFS internals and describes the approach taken to arrive at the new ZFS debugger functionality. By using this new functionality, we find that the content and all the metadata (file size, owner, creation time, etc) of a deleted file can be retrieved directly from the disk without going through the file system layer of the operating system. TABLE OF CONTENTS 1 INTRODUCTION ......................................................................................................................................... 1-1 1.1 OVERVIEW ................................................................................................................................................ 1-1 1.2 PROBLEM .................................................................................................................................................. 1-1 1.3 AIM ........................................................................................................................................................... 1-2 1.4 ASSUMED KNOWLEDGE ............................................................................................................................ 1-2 1.5 STRUCTURE ............................................................................................................................................... 1-2 1.6 ACRONYMS ............................................................................................................................................... 1-3 2 RELATED WORK ....................................................................................................................................... 2-1 2.1 OVERVIEW ................................................................................................................................................ 2-1 2.2 FILE SYSTEM FORENSICS ........................................................................................................................... 2-1 2.3 EXISTING OPEN SOURCE FORENSIC TOOLS ............................................................................................... 2-2 2.4 ZFS FORENSICS PROJECT PROPOSAL ........................................................................................................ 2-3 2.5 ZDB DATA WALK ..................................................................................................................................... 2-4 2.6 SUMMARY ................................................................................................................................................. 2-4 3 FILE DELETION ......................................................................................................................................... 3-1 3.1 OVERVIEW ................................................................................................................................................ 3-1 3.2 INTRODUCTION TO UNIX FILE SYSTEM ...................................................................................................... 3-1 3.3 HISTORIC UNIX FILE SYSTEM .................................................................................................................... 3-2 3.4 MODERN UNIX FILE SYSTEMS ................................................................................................................... 3-3 3.4.1 Reconstructing Evidence ................................................................................................................... 3-4 3.5 ZFS ........................................................................................................................................................... 3-6 3.5.1 Reconstructing Evidence Attempt ..................................................................................................... 3-7 3.6 COMPARISON ............................................................................................................................................ 3-9 3.7 SUMMARY ................................................................................................................................................. 3-9 4 ZFS DESIGN AND ARCHITECTURE ...................................................................................................... 4-1 4.1 OVERVIEW ................................................................................................................................................ 4-1 4.2 CONCEPT ................................................................................................................................................... 4-1 4.3 ARCHITECTURE ......................................................................................................................................... 4-1 4.4 IMPLEMENTATION ..................................................................................................................................... 4-4 4.5 ZFS VS UFS .............................................................................................................................................. 4-8 4.6 SUMMARY ................................................................................................................................................. 4-9 5 NEW ZDB FEATURE .................................................................................................................................. 5-1 5.1 OVERVIEW ................................................................................................................................................ 5-1 5.2 REQUIREMENT FOR ZDB EXTENSION ....................................................................................................... 5-1 5.3 OVERVIEW OF NEW ZDB EXTENSION ....................................................................................................... 5-1 5.4 DETAIL IMPLEMENTATION OF NEW ZDB EXTENSION ................................................................................ 5-2 5.5 DEMONSTRATION ...................................................................................................................................... 5-7 5.6 SUMMARY ............................................................................................................................................... 5-13 6 FUTURE WORK .......................................................................................................................................... 6-1 7 CONCLUSION .............................................................................................................................................. 7-1 8 REFERENCE ................................................................................................................................................ 8-1 9 APPENDIX A – ZDB SOURCE CODE ...................................................................................................... 9-1 TABLE OF FIGURES Figure ‎3-1 Disk layout of a Unix file system ........................................................................................................ 3-1 Figure ‎3-2 Inode structure .................................................................................................................................... 3-2 Figure ‎4-1 Vdev label for a block device of size N .............................................................................................. 4-2 Figure ‎4-2 Block pointer structure layout ............................................................................................................ 4-2 Figure ‎4-3 The relationship of SPA, DMU, DSL and ZAP components .............................................................. 4-4 Figure ‎4-4 Structure of vdev label ........................................................................................................................ 4-4 Figure ‎4-5 Uberblock structure ............................................................................................................................ 4-5 Figure ‎4-6 Block pointer structure ....................................................................................................................... 4-5 Figure ‎4-7 Data Virtual Address (DVA) type definition ...................................................................................... 4-5 Figure ‎4-8 Dnode structure definition .................................................................................................................. 4-6 Figure ‎4-9 Object Set structure ............................................................................................................................ 4-6 Figure ‎4-10 ZAP object definitions ...................................................................................................................... 4-7 Figure ‎4-11 DSL Directory Object structure