I am currently, in my own time, researching into and analysing Microsoft's newest file system, Resilient File System (ReFS), previously 'Protogon', released under Windows Server 2012, previously 'Windows Server 8', in late 2012.
I am currently reverse engineering the Resilient File System (ReFS) which takes a lot longer originally planned but still is on-going. I am doing it the old fashioned way without the use of automated extraction tools or code, to hopefully avoid overlooking anything important. This approach seems to have paid off so far. I am however using a licensed version of WinHex gratefully provided by X-Ways Forensics.
My process for analysis involves the following:
For an on-going document that contains all the research and findings to date please see my ReFS Report (v0.6).
Due to current work commitments, I am not doing as much research in this field and will only be doing it when I get spare time. Therefore, the current version of the report is the latest. I may produce further work in the future, but please take the current report (v0.6) as the final and only version available.
If you would like a copy of the images to test with, please click here and download them (8.81MiB) 7GiB unpacked. The MD5 Checksum is: 708E0111B70158D241F43285C2F8808B.
The reason for two sets of images, one with an a and without, is for comparison purpose and to validate any findings if needed. Currently, the secondary images, with an a, have not been needed but duplication is always better in advance.
If you use this report for any purpose please reference that you have obtained it from this source. Even though it is free to be used, it is still an acknowledgement of the work and effort gone into the analysis of the Resilient File System (ReFS) by Paul Green, and co-authors.
If you have developed application using this report, or any information found on this site, please get in touch. I would be interested in testing and evaluating it for personal purposes.
The work on this site and documents contained within are a work in progress and are to be taken at face value, and I am not liable for any errors in any application compiled. The contents, until release v1, may be incorrect or incomplete and therefore are not recommended to be used to develop applications. If you do please bear in mind the report is continuously changing.
If anyone has any suggestions or can help with the analysis please do get in touch with me as reverse engineering a file system is not easy and is extremely time consuming.
If you wish to contact me please go here.
Last updated: Friday 10th January 2014
Copyright © Paul K. Green 2014