Browse > Article
http://dx.doi.org/10.13089/JKIISC.2013.23.3.417

File Carving for Ext4 File System on Android OS  

Kim, Dohyun (Center for Information Security Technologies, Korea University)
Park, Jungheum (Center for Information Security Technologies, Korea University)
Lee, Sangjin (Center for Information Security Technologies, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.23, no.3, 2013 , pp. 417-429 More about this Journal
Abstract
A lot of OS(Operating Systems) such as Linux and Android selected Ext4 as the official file system. Therefore, a recovery of deleted file from Ext4 is becoming a pending issue. In this paper, we suggest how to recover the deleted file by analyzing the entire structure of Ext4 file system, the study of metadata area, the distinct feature when file is assigned and deleted. Particularly, we focus on studying the features of file which is assigned in Ext4 file system in Android OS and also suggest the method to recover the deleted file that is fragmented from the un-allocated area.
Keywords
Digital Forensics; Android Forensics; Ext4 File System; File Carving;
Citations & Related Records
연도 인용수 순위
  • Reference
1 SQLite Database File Format2, http://www.evolane.com/support/manuals/shared/manuals/tcltk/sqlite/fileformat.html.
2 Simson L. Garfinkel, "GarCarving contiguous and fragmented files with fast object validation," Digital Investigation, Vol. 4, pp. S2-S12, Sept. 2007.   DOI   ScienceOn
3 Golden Richard III, Vassil Roussev and Lodovico Marziale, "In-Place File Carving," Digital Forensics III : IFIP The International Federation for Information Processing, Vol. 242, pp. 217-230, Jan. 2007.   DOI
4 Jungheum Park, Hyunji Chung, and Sangjin Lee, "Forensic analysis techniques for fragmented flash memory pages in smartphones," Digital Investigation, Vol 9, pp. 109-118, Nov. 2012.   DOI   ScienceOn
5 Sangjun Jeon, Jungheum Park, Keun-gi Lee, and Sangjin Lee, "An Efficient Method of Extracting Strings from Unfixed-Form Data," Lecture Notes in Electrical Engineering, Vol.164, pp.425-434, June. 2012.
6 Kevin D. Fairbanks, "An analysis of Ext4 for digital forensics," Digital Investigation, Vol. 9, pp. 118-130, Aug. 2012.   DOI
7 Dohyun Kim, Jungheum Park, Keun-gi Lee, and Sangjin Lee, "Forensic Analysis of Android Phone using Ext4 File System Journal Log," Lecture Notes in Electrical Engineering, Vol. 164, pp. 435-446, June. 2012.
8 Val Henson, Zach Brown, Theodore Ts'o, and Arjan van de Ven, "Reducing fsck time for ext2 file systems," Proceeding of the Linux Symposium, Vol. 1, July. 2006.
9 Philip Craiger, "Recovering Digital Evidence from Linux Systems," IFIP The International Federation for Information Processing, Vol. 194, pp. 233-244, Feb. 2005.
10 SANS Information, Network, Computer Security Training, Research, Resources, http://www.sans.org.
11 Hal Pomeranz, "EXT3 File Recovery via Indirect Blocks," http://computer-forensics.sans.org/summit-archives/2011/EXT3-file-recovery.pdf.
12 Gregorio Narvaez, "Taking advantage of Ext3 journaling file system in a forensic investigation," SANS Institute Reading Room, Dec. 2007.
13 ext3grep, http://code.google.com/p/ext 3grep.
14 extcarve, http://freecode.com/projects/extcarve.
15 giis-ext4, http://www.giis.co.in.
16 Stellar Phoenix Linux Data Recovery, http://www.stellarinfo.com/linux-data-recovery.htm.
17 EaseUS, http://www.easeus.com/datarecoverywizard.
18 Brian Carrier, File Sysetm Forensic Analysis, Addison Wesley Professional, 2005.
19 Aneesh Kumar K.V, Mingming Cao, and Jose R Santos, "Ext4 block and inode allocator improvements," Proceeding of the Linux Symposium, July. 2008.
20 Avantika Mathur, Mingming Cao, and Suparna Bhattacharya, "The new ext4 filesystem: current status and future plans," Proceedings of the Linux Symposium, June. 2007.
21 Theodore, "Speeding up file system checks in ext4," The Linux Foundation, 2009.
22 Guidance Software, http://www.guidancesoftware.com.
23 SQLite Database File Format, http://www.sqlite.org/fileformat2.html.