Ext4 File Recovery › IT Security Infrastructures Lab

Abstract

In forensic computing, especially in the field of postmortem file system forensics, the reconstruction of lost or deleted files plays a major role. The techniques that can be applied to this end strongly depend on the specifics of the file system in question. Various file systems are already well-investigated, such as FAT16/32, NTFS for Microsoft Windows systems and Ext2/3 as the most relevant file system for Linux systems.
There also exist tools, such as the famous Sleuthkit, that provide file recovery features for those file systems by interpreting the file system internal data structures.
In case of an Ext file system, the interpretation of the so-called superblock is essential to interpret the data. The Ext4 file system can mainly be analyzed with the tools and techniques that have been developed for its predecessor Ext3, because most principles and internal structures remained unchanged. However, a few innovations have been implemented that have to be considered for file recovery.
In this paper, we investigate those changes with respect to forensic file recovery and develop a novel approach to identify files in an Ext4 file system even in cases where the superblock is corrupted or overwritten, e.g. because of a re-formatting of the volume. Our approach applies heuristic search patterns for utilizing methods of file carving and combines them with metadata analysis. We implemented our approach as a proof of concept and integrated it into the Sleuthkit framework.

Description

The developed tool can be used to reconstruct data from Ext4 file systems. Only regular files and directories are taken into account from this tool. All relevant parameters of the Ext4 file system and search patterns (e.g. time stamps of files) can be configured in a file within the Sleuthkit framework. If nothing is specified default values are applied.

Additionally, two different modes for the reconstruction can be chosen: content data and meta data mode. The content data mode can be used if no information about the file system is known, but it can only reconstruct the content of files and no meta data along with it. The meta data mode on the other hand is capable of reconstruction the whole directory structure of the file system along with all file names. This can only be done if the parameters of the Ext4 file system are known.

The Sourcecode and a README can be downloaded here.

The tool was implemented by Sabine Seufert during her Master Thesis under guidance of Andreas Dewald. Any questions can be addressed to both.