Purple dawn: dead disk forensics on Google's Fuchsia operating system

Fuchsia is the project name for a “modular, capability-based” operating system currently being developed by Google. There is speculation that Fuchsia may be a successor to the Android OS or a replacement for several other operating systems currently supported by the organisation. This paper examines the file systems found in this operating system and provides a breakdown of the content and structure of the unique volume manager and other partitions found on system. The findings outlined in this paper should allow digital investigators to expedite their understanding of the underlying data found on the platform. This paper also highlights how the zxcrypt encryption subsystem may inhibit the ability of practitioners to carry out an investigation of the MinFS partition. As Fuchsia is still in development, these findings are reliant on there not being significant changes made to structure of partitions examined. There remain unanswered questions regarding the content of the BootFS disk image found in the ZIRCON partition and the structure of entries within the Slice Allocation Table in the FVM.