AbstractIntroductionMethodologyInitial ComparisonReFS MBRReFS VBRFSRSMACE TimesReFS Metadata BlockReFS MFTReFS Folder Naming ProcessDrive LabelsRecycle BinDesktop.ini FileSecurity IdentifierFolder Analysis.doc Analysis.txt Analysis.exe AnalysisReferencesAboutMisc ForensicsCPU Reballing Stencils

File System Recognition Structure (FSRS)

The ReFS Volume Boot Record differs massively from that of NTFS and FAT. Instead of having a sector's worth of boot information followed by numerous more sectors full of data, like NTFS and FAT, ReFS uses 64 bytes only. We know that ReFS isn't bootable, so this is one reason for such a difference.

While this sector in ReFS does have the OEM ID like the other two, it also has something within it called "FSRS".

FSRS stands for File System Recognition Structure, which having done research on it, appears to allow operating systems to recognise the structure, thus being able to determine that the file system in use (ReFS) is a valid file system.

 

Type

Offset

Length

Contents

Description

Jmp

0x00

3 bytes

00 00 00

Jump instruction

FsName

0x03

4 bytes

53 65 46 53

File system name

MustBeZero

0x07

9 bytes

00 00 00 00 00 00 00 00 00

Reserved space containing all zeros

Identifier

0x10

4 bytes

46 53 52 53

Structure identifier. Little endian.

Length

0x14

2 bytes

00 02

The number of bytes in the structure

Checksum

0x16

2 bytes

33 C2

 

 

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000100000  00 00 00 52 65 46 53 00 00 00 00 00 00 00 00 00 46 53 52 53 00 02 33 C2 00 00 9E 00 00 00 00 00  ...ReFS.........FSRS....ž.....

000100020  00 02 00 00 80 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 1C 55 C4 56 55 C4 34  ....€.....................UÄVUÄ4



Useful Resources on FSRS


File System Recognition Structure - US Patent Office, Patent No.: US8200895 B2 http://www.google.co.uk/patents/US8200895


MSDN Articles


File System Recognition - https://msdn.microsoft.com/en-gb/library/windows/desktop/dd442652(v=vs.85).aspx

FILE_SYSTEM_RECOGNITION_STRUCTURE - https://msdn.microsoft.com/en-us/library/windows/desktop/dd442654(v=vs.85).aspx

Obtaining File System Recognition Information - https://msdn.microsoft.com/en-us/library/windows/desktop/dd442656(v=vs.85).aspx

Computing a File System Recognition Checksum - https://msdn.microsoft.com/en-us/library/windows/desktop/dd442649(v=vs.85).aspx