BSDCan2014 - Final
BSDCan 2014
The Technical BSD Conference
Speakers | |
---|---|
Dylan Leigh |
Schedule | |
---|---|
Day | Talks - Day 1 - Fri May 16 - 2014-05-16 |
Room | Montpetit 201 |
Start time | 10:00 |
Duration | 01:00 |
Info | |
ID | 464 |
Event type | Lecture |
Track | Security |
Language used for presentation | English |
Forensic Timestamp Analysis of ZFS
Using ZFS Metadata to enhance timeline analysis and detect forged timestamps.
Exploring the use of the internal data structures of ZFS to provide extra sources of data for forensic timeline analysis. Several techniques to detect falsified timestamps on ZFS filesystems are demonstrated.
During forensic analysis of disks, it may be desirable to construct an account of events over time, including when files were created, modified, accessed and deleted. "Timeline analysis" is the process of collating this data, using file timestamps from the file system and other sources such as log files and internal file metadata.
ZFS uses a complex structure to store file data and metadata and the many internal structures of ZFS are another source of timeline information. This internal metadata can also be used to detect timestamps which have been tampered with by the touch command or by changing the system clock.
This presentation will discuss the internal data structures of ZFS, present new research illustrating how ZFS metadata changes over time, and demonstrate how this data can be used to detect falsified file timestamps.