Forensic analysis of deduplicated file systems

Deduplication splits files into fragments, which are stored in a chunk repository. Deduplication stores chunks that are common to multiple files only once. From a forensics point of view, a deduplicated device is very difficult to recover and it requires a specific knowledge of how this technology operates. Deduplication starts from a whole file, and transforms it in an organized set of fragments. In the recent past, it was reserved to datacenters, and used to reduce space for backups inside virtual tape library (VTL) devices. Now this technology is available in open source packages like OpenDedup, or directly as an operating system feature, as in Microsoft Windows Server or in ZFS. Recently Microsoft included this feature in Windows 10 Technical Preview. Digital investigation tools need to be improved to detect, analyze and recover the content of deduplicated file systems. Deduplication adds a layer to data access that needs to be investigated, in order to act correctly during seizure and further analysis. This research analyzes deduplication technology in the perspective of a digital forensic investigation.