Ext4

Abstract

The Ext4 file system is often used by Android cell phones and by Linux distributions. As a mobile forensic expert, it is necessary to understand the structures of this file system to recover data, verify tool results, and detect anti-forensics techniques that may be present in the file system. In this chapter, we will have a deep dive into topics important for an investigation. Many digital forensic tools do not recover much from the Ext4 file system [52], and therefore we show some of the most useful Ext4 recovery techniques proposed by current research. The Ext4 file system is often used by Android1 operating systems, and also by Linux desktop distributions [14], and this file system is open source. The Ext4 file system replaces the Ext2 and Ext3, but it is mostly backwards compatible. Carrier described Ext2 and Ext3 in his File System forensic analysis book [10], which includes information also relevant for Ext4. Fairbanks describes the Ext4 file system at a low level and from a Digital Forensics perspective. This chapter will describe file system information important for mobile forensic investigators and other digital forensic experts.