Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.6.1373

A Study of Method to Restore Deduplicated Files in Windows Server 2012  

Son, Gwancheol (Institute of Cyber Security & Privacy (ICSP), Korea University)
Han, Jaehyeok (Institute of Cyber Security & Privacy (ICSP), Korea University)
Lee, Sangjin (Institute of Cyber Security & Privacy (ICSP), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.6, 2017 , pp. 1373-1383 More about this Journal
Abstract
Deduplication is a function to effectively manage data and improve the efficiency of storage space. When the deduplication is applied to the system, it makes it possible to efficiently use the storage space by dividing the stored file into chunks and storing only unique chunk. However, the commercial digital forensic tool do not support the file system analysis, and the original file extracted by the tool can not be executed or opened. Therefore, in this paper, we analyze the process of generating chunks of data for a Windows Server 2012 system that can apply deduplication, and the structure of the resulting file(Chunk Storage). We also analyzed the case where chunks that are not covered in the previous study are compressed. Based on these results, we propose the method to collect deduplicated data and reconstruct the original file for digital forensic investigation.
Keywords
Deduplication; Deduplicated File Restoration; Chunk Storage; $REPARSE_POINT; System Volume Information;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Min, Jaehong, Daeyoung Yoon, and Youjip Won, "Efficient deduplication techniques for modern backup operation," IEEE Transactions on Computers Vol. 60, No. 6, pp. 824-840, June. 2011.   DOI
2 Harnik, Danny, Benny Pinkas, and Alexandra Shulman-Peleg, "Side channels in cloud services: Deduplication in cloud storage," IEEE Security & Privacy Vol. 8, No. 6, pp. 40-47, Dec. 2010.
3 Carlton, Gregory H, and Joseph Matsumoto, "A survey of contemporary enterprise storage technologies from a digital forensics perspective," The Journal of Digital Forensics, Security and Law: JDFSL, Vol. 6, No. 3, pp. 63-74, 2011.
4 Park, Jungheum, Hyunji Chung, and Sangjin Lee, "Forensic analysis techniques for fragmented flash memory pages in smartphones," Digital Investigation Vol. 9, No. 2, pp. 109-118, Nov. 2012.   DOI
5 Neuner, Sebastian, et al, "Gradually improving the forensic process," Availability, reliability and security (ares), 2015 10th international conference on. IEEE, pp. 404-410, Aug. 2015.
6 Neuner, Sebastian, Martin Schmiedecker, and Edgar Weippl, "Effectiveness of filebased deduplication in digital forensics," Security and Communication Networks, Vol. 9, No. 15, pp. 2876-2885, Jan. 2016.   DOI
7 Rabin, Michael O., "Fingerprinting by random polynomials," TR-15-81, Center for Research in Computing Technology, Harvard University, 1981.
8 El-Shimi, Ahmed, et al, "Primary Data Deduplication-Large Scale Study and System Design," USENIX Annual Technical Conference, Vol. 2012, pp. 285-296, June. 2012.
9 Windows Dev Center, "Reparse Points," https://msdn.microsoft.com/ko-kr/library/windows/desktop/aa365503(v=vs.85).aspx
10 Microsoft Developer Network, "[MS-XCA]: Xpress Compression Algorithm," https://msdn.microsoft.com/en-us/library/hh554002.aspx, Sept. 2017.
11 Windows Server, "Add deduplication support to client OS," https://windowsserver.uservoice.com/forums/295056-storage/suggestions/9011008-add-deduplication-support-to-client-os, July. 2015.
12 Muthitacharoen, Athicha, Benjie Chen, and David Mazieres, "A low-bandwidth network file system," ACM SIGOPS Operating Systems Review, Vol. 35, No. 5, pp. 174-187, Oct. 2001.   DOI
13 Gantz, John, and David Reinsel, "The digital universe in 2020: Big data, bigger digital shadows, and biggest growth in the far east," IDC iView: IDC Analyze the future 2007, 2012.
14 Dario Lanterna and Antonio Barili, "Forensic analysis of deduplicated file systems," Digital Investigation, vol. 20, pp. 99-106, Mar. 2017.   DOI