Identification of data wiping tools based on deletion patterns in ReFS $Logfile

Data wiping tools permanently delete files by repeatedly overwriting data on a digital device, making file recovery impossible. Unlike the conventional deletion methods, which merely remove the file system pointer to the data, these tools are designed to entirely and irretrievably erase the data. This method can be exploited to obliterate evidence of a crime. Given the growing prevalence of such tools, a comprehensive analysis of permanent deletion behavior is essential, especially concerning the Resilient File System (ReFS). In this study, we propose a method for detecting user behavior concerning data wiping tools and algorithms in ReFS 3.7. Our approach relies on the fact that file modifications are logged in the redo record of the $Logfile, and that the opcode value of the redo record varies depending on the data wiping tool used. Since opcodes were only analyzed up to version 3.4, we analyzed the newly updated opcodes. Initially, we selected the 12 most commonly used data wiping tools for our research. In the pattern analysis phase, we applied the algorithms supported by each tool, generating a distinct deletion pattern for each one. This was accomplished by utilizing consecutive opcodes to formulate the patterns and monitor transitions in file and directory names. The patterns discerned in the $Logfile allowed us to determine which data wiping tool was deployed. The proposed methodology simplifies the identification of not only which data wiping tool has been used, but also the specific deletion behavior exhibited. We developed a tool incorporating the proposed method. Our subsequent verification confirmed the effectiveness of our methodology and tools in accurately detecting the use of comprehensive deletion tools. These findings contribute valuable insights to the acquisition of digital evidence of user deletion behavior in ReFS. Our proposed methodology will help digital forensic examiners in the detection and identification of data wiping tools' behavior.