Abstract
Journaling is a relatively new feature of modern file systems that is not yet exploited by most digital forensic tools. A file system journal caches data to be written to the file system to ensure that it is not lost in the event of a power loss or system malfunction. Analysis of journal data can identify which files were overwritten recently. Indeed, under the right circumstances, analyzing a file system journal can reveal deleted files and previous versions of files without having to review the hex dump of a drive. This paper discusses data recovery from ReiserFS and ext3, two popular journaled file systems. It also describes a Java-based tool for analyzing ext3 file system journals and recovering data pertaining to overwritten and deleted files.
Chapter PDF
Similar content being viewed by others
References
F. Buchholz, The structure of the Reiser file system (http://homes.cerias.purdue.edu/~florian/reiser/reiserfs.php).
R. Card, T. Ts’o and S. Tweedie, Design and implementation of the Second Extended File System, Proceedings of the First Dutch International Symposium on Linux (http://web.mit.edu/tytso/www/linux/ext2intro.html), 1994.
B. Carrier, File System Forensic Analysis, Addison-Wesley, Crawfordsville, Indiana, 2005.
T. Cormen, C. Leiserson, R. Rivest and C. Stein, Introduction to Algorithms, MIT Press, Cambridge, Massachusetts, 2001.
Fedora Project Board, Fedora Core (fedoraproject.org).
G. Ganger and Y. Patt, Soft Updates: A Solution to the Metadata Update Problem in File Systems, Technical Report CSE-TR-254-95, Computer Science and Engineering Division, University of Michigan, Ann Arbor, Michigan, 1995.
NTFS.com, Data integrity and recoverability with NTFS (http://www.ntfs.com/data-integrity.htm).
S. Piper, M. Davis, G. Manes and S. Shenoi, Detecting misuse in reserved portions of ext2/3 file systems, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, New York, pp. 245–256, 2005.
H. Reiser, ReiserFS v3 whitepaper (http://www.namesys.com/X0reiserfs.html), 2002.
M. Rosenblum and J. Ousterhout, The design and implementation of a log-structured file system, ACM Transactions on Computer Systems, vol. 10(1), pp. 26–52, 1992.
S. Tweedie, Journaling the Linux ext2fs filesystem, presented at the Fourth Annual Linux Expo (http://jamesthornton.com/hotlist/linuxfllesystems/ext3-journal-design.pdf), 1998.
S. Tweedie, Ext3: Journaling filesystem (http://olstrans.sourceforge.net/release/OLS2000-ext3/OLS2000-ext3.html), July 20, 2000.
U. Vahalia, C. Gray and D. Ting, Metadata logging in an NFS server, Proceedings of the USENIX Technical Conference on Unix and Advanced Computing Systems, pp. 265–276, 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Swenson, C., Phillips, R., Shenoi, S. (2007). File System Journal Forensics. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_16
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_16
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)