While doing some research on Linux forensics, I stumbled upon an excellent paper written by Gregorio Narvaez. The paper is titled, “Taking Advantage of EXT3 Journaling File System in a Forensic Investigation”. Those of you who have performed linux forensics before know that the EXT3 filesystem dealt our field a serious blow with regard to file recovery. When a file was deleted in EXT2, the pointer to the file inode within the directory entry was removed. This severed the link between the file name layer and the meta-data layer, but all of the block pointers within the inode were maintained. Thus, we could fully recover deleted files, but could not tie them back to their original filenames. When EXT3 emerged, things took a nastier turn. Now, instead of removing the pointer to the inode when a file is deleted in EXT3, all of the block pointers within the inode are deleted. This makes data recovery in EXT3 much, much more difficult. Luckily, the developers threw us a bone: the EXT3 journal keeps copies of recently modified inodes, including complete copies of previously deleted block pointers!
Narvaez’s paper was written to satisfy the requirements for the SANS GCFA Gold certification (Forensics 508 course). It covers a technique for performing data recovery using the EXT3 journal. He demonstrates how to easily retrieve copies of inodes stored in the filesystem journal. Once you have a copy of the inode, you can simply follow all of the nicely archived block pointers that existed before the file was deleted. The Sleuth Kit (TSK) forensic tools are used in addition to built-in Linux capabilities like debugfs.
Historical Journal Entries
One of my favorite parts of Narvez’s paper is the section labeled, “Time Machine Reloaded”. In this section he utilizes the fact that their may be multiple complete copies of inodes available for your files of interest. He details a simple technique for extracting and displaying these historical timestamps. Once you read this, you will never ignore the file system journal again!
EXT3 File Recovery Using Indirect Blocks
If the journal doesn’t exist, or you arrived too late and relevant data has been purged, all is not lost! Hal Pomeranz has a great presentation on performing data recovery using the fact that EXT3 does not delete indirect pointers. Hal also talks about EXT4 and how that will change things once again.