The Journal of the ext3 Filesystem

By Andreas Schuster on December 12, 2007 4:00 PM | 1 Comment

In his paper Taking advantage of Ext3 journaling file system in a forensic investigation Gregorio Narváez describes the journal of the ext3 filesystem.

Information recorded in the journal helps to recover deleted files. Also the data enables an examiner to build a detailed timeline of events. Inodes tell only the last modification and the last access time. The file system's journal, however, can store many of these events for a single file.

13/12/2007: Changed the link. Hopefully the new one will last a bit longer. Thanks to Sebastien for the hint!

Categories:

Tags:

1 Comment

Sebastien | December 13, 2007 2:28 PM

Here's the good link for the paper:
http://www.sans.org/reading_room/whitepapers/forensics/2011.php

Sebastien

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12