The Microsoft ReFS File System

With the public beta release of Windows Server 8, Microsoft introduced an implementation of its Resiliant File System (ReFS). This page links to ReFS resources that include Microsoft documentation, forensic images of ReFS volumes, and disk structures. Please join me in reversing the on-disk layout of ReFS.

External Documentation

Sample Images

I’ve created and hosted a set of eight forensic images of a ReFS volume acquired after common file system activity. You can review their details and download the images here.

Disk Structures

Based on data gleaned from the sample images referenced in the previous section, the file system may use structures described here. A pseudo-C/010 Editor template formats each structure in this section. Of course, the contents of this section are subject to change pending additional research.

Memory Structures

This section describes structures that the ReFS.sys driver uses in memory to manipulate a ReFS file system. Its worth to explore these structures as they may be reused on disk. Of course, they could also be of interest to a forensic investigator with a memory image of a Server 2012 system.


Here is a list of terms that you should be familiar with (or help develop) as you get familiar with ReFS internals: