ZFS ZFS Forensics - What Tools Do You Use?

[gladiola]

Can anyone recommend a forensic toolset for looking at ZFS discs?

I only have a casual interest. I saw there was an older port for sleuthkit (didn't notice ZFS listed as an expected file type) and some academic papers (about 10 years old) on ZFS forensics. I wonder what people who are good at ZFS forensics are using now. Are you just write protecting the disc with hardware and dd the files over into a working copy? What are you seeing the bytes with? Do you just interact with the ZFS administrative commands normally and note the checksums? Got any forensic project software you prefer that works with ZFS? What do you use to look over GELI-encrypted ZFS discs?

Just curious. Any suggestions you provide might be helpful. Thanks in advance.

 

[usdmatt]

I believe the most common tool for viewing object layout, file block locations on disk etc, is zdb. Without accessing the pool directly, the obvious way to do this would be as mentioned, take copies of the disks using dd or similar, and mount the pool read-only from images of the original disks.

When it comes to GELI encrypted disks, I would assume that the disk is effectively useless unless you have already mounted it with the correct key, at which point it's no different to any non-encrypted disk.

 

[Cath O'Deray]

… academic papers (about 10 years old) on ZFS forensics. I wonder what people who are good at ZFS forensics are using now. …

I'm not that person, and this is not a recent article, but it's one of a few that I have bookmarked over the years:

Bruning Questions: ZFS Forensics - Recovering Files From a Destroyed Zpool | Joyent (2013-12-08)