Original Research Article File Systems & Storage Forensics

A Comparative Analysis of File System Artifact Recovery in Windows 11 NTFS and ReFS Environments: Implications for Enterprise Digital Forensic Investigations

Dr. Harold P. Whitmore^a,1, Dr. Sarah J. Caldwell^b, Prof. Michael T. Brennan^c

^a School of Computer Science, University of Nottingham, Nottingham NG7 2RD, United Kingdom
^b Department of Computer Science & Engineering, Delft University of Technology, 2628 CD Delft, Netherlands
^c School of Computing Technologies, RMIT University, Melbourne VIC 3000, Australia
¹ Corresponding author. E-mail: h.whitmore@nottingham.ac.uk

Received: 14 November 2024 Revised: 22 January 2025 Accepted: 3 February 2025 Available online: 18 March 2025

DOI: https://doi.org/10.1016/j.jdfm.2025.03.004

14,291Views

382Downloads

9Citations

47Saves

3.8 / 5Avg. Rating

Abstract

This study presents a comprehensive comparative analysis of artifact recovery rates, metadata preservation fidelity, and journaling integrity across 847 distinct forensic images derived from controlled laboratory environments simulating enterprise Windows 11 deployments. Using a novel Forensic Resilience Index (FRI) — a composite scoring metric integrating $MFT completeness, $LogFile continuity, journal sequence coherence, and timestamp accuracy — we systematically evaluated New Technology File System (NTFS) and Resilient File System (ReFS) performance under six categories of anti-forensic pressure: secure deletion, volume shadow copy manipulation, journaling disruption, metadata timestomping, cluster reallocation, and encryption-at-rest. Our findings reveal that NTFS volumes (mean FRI: 0.647, σ = 0.091) consistently outperform ReFS (mean FRI: 0.581, σ = 0.114) in conventional artifact recovery scenarios. However, ReFS demonstrates statistically superior journal integrity under high write-volume conditions (p < 0.001), owing to its native B+ tree allocation and block-clone semantics. We further document 14 previously unreported artifact generation pathways within the ReFS 3.7 specification and propose a revised forensic workflow adapted for hybrid NTFS/ReFS enterprise environments.

Keywords: digital forensicsNTFSReFS 3.7 file system analysisanti-forensicsWindows 11 24H2 Forensic Resilience Indexchain of custody artifact recoveryenterprise investigation

1. Introduction

The evidentiary landscape of modern digital forensics is inextricably bound to the architectural idiosyncrasies of contemporary file systems. As enterprise computing environments increasingly migrate from the decades-old New Technology File System (NTFS) to the comparatively nascent Resilient File System (ReFS), practitioners and researchers alike face a pivotal reconfiguration of investigative assumptions, toolchain dependencies, and courtroom testimony standards.[1]

Microsoft introduced ReFS in Windows Server 2012, positioned primarily as a high-resilience alternative for storage spaces and Hyper-V workloads. Subsequent revisions — culminating in the ReFS 3.7 specification bundled with Windows Server 2022 and Windows 11 24H2 — have progressively expanded its enterprise adoption footprint. Yet the forensic literature has struggled to keep pace with this structural evolution.[2]

This gap is consequential. Enterprise investigations — whether concerning insider threats, ransomware incidents, or regulatory compliance violations — increasingly encounter mixed file system environments in which storage pools, virtual disk images, and local volumes co-exist across NTFS and ReFS partitions.

Key Finding: ReFS 3.7 introduces 14 previously undocumented artifact generation pathways that, if unrecognised by examiners, may result in material evidence being overlooked or misattributed in enterprise forensic investigations. A revised forensic workflow addressing these pathways is presented in Section 4.3.

2. Methodology

2.1 Experimental Design and Image Corpus

A total of 847 forensic images were generated across 14 experimental conditions using Autopsy 4.21, The Sleuth Kit 4.12, FTK Imager 4.7.1.2, and a bespoke ReFS Parser. Images were acquired from 12 identically configured physical workstations running Windows 11 24H2 (Build 26100.2314) across a 16-week experimental period from June to September 2024.

Table 1. Experimental conditions by anti-forensic category and sample distribution (N=847).
#	Anti-Forensic Category	NTFS Samples	ReFS Samples	Tool(s) Applied
1	Secure deletion (DoD 5220.22-M)	72	72	Eraser 6.2, sdelete
2	VSS manipulation	65	65	vssadmin, custom PowerShell
3	Journal disruption (fsutil usn)	60	60	fsutil, custom C# driver
4	Metadata timestomping	58	58	Meterpreter timestomp, SetFileTime
5	Cluster reallocation stress	45	45	Custom write-fill script
6	BitLocker/AES-256 encryption	48	48	BitLocker CLI
Total		348	348
Control (no anti-forensic pressure)		76	75	N/A

3. Results

Table 2. Mean FRI scores by anti-forensic category and file system (± SD).
Category	NTFS FRI	ReFS FRI	Δ FRI	p-value
Secure deletion	0.612 ± 0.094	0.524 ± 0.112	+0.088	<0.001
VSS manipulation	0.701 ± 0.078	0.589 ± 0.099	+0.112	<0.001
Journal disruption	0.589 ± 0.108	0.631 ± 0.086	−0.042	0.003
Timestomping	0.634 ± 0.083	0.561 ± 0.107	+0.073	<0.001
Cluster reallocation	0.598 ± 0.102	0.542 ± 0.119	+0.056	0.014
Encryption	0.488 ± 0.141	0.461 ± 0.155	+0.027	0.182
Control	0.881 ± 0.044	0.834 ± 0.062	+0.047	<0.001

4. Discussion

Our findings challenge the prevailing assumption that newer file systems necessarily complicate forensic analysis. While ReFS does introduce significant challenges in conventional MFT-centric investigation workflows, its structural properties generate compensatory artifact opportunities that, once understood, may meaningfully enhance evidentiary yield in specific scenarios.

5. Conclusion

This study provides the largest controlled empirical comparison of NTFS and ReFS forensic artifact recovery to date. The Forensic Resilience Index offers a standardised, reproducible metric that may serve as a foundation for future tool validation frameworks and expert witness qualification criteria.

References

[1]Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.

[2]Bell, G. B., & Boddington, R. (2010). Solid state drives: The beginning of the end for current practice in digital forensic recovery? Journal of Digital Forensics, Security and Law, 5(3), 1–20.

[3]Microsoft Corporation. (2023). Resilient File System (ReFS) overview. Microsoft Docs.