An analysis of anti-forensic capabilities of B-tree file system (Btrfs)


Anti-forensic techniques aim to prevent, hinder or corrupt the forensic process of evidence acquisition, its analysis, and/or its admissibility. File systems are at the spotlight of almost every forensic investigation. The Linux B-tree file system (Btrfs) offers a paradigm shift in file system design by providing simple administration, end-to-end data integrity, and immense scalability without loss of performance. However, the potential of Btrfs for forensics examination and its resistance to anti-forensic activities was not investigated before. This paper covers this gap by analysing the forensics value of Btrfs and its robustness against anti-forensics activities. The experimental results suggest that Btrfs offers strong hurdles to many anti-forensic attacks. These include making it difficult to securely wipe files, disallowing hiding data in reserved locations of the file system data structures, and so on. Based on our findings, even a corrupt Btrfs volume could contain remnants of deletion of small files, hidden data in reserved locations and magic string forgery. Furthermore, forensic tools meant for Btrfs investigation must be augmented to support automated forensic analysis of possible hidden data in boot sector, file slack, volume slack and mount-point directories, MAC-DTS forgery, and sparse files.