Notifications

Clear all

Question on ext3/ext4 filesystem forensics

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Alistair 12 years ago

3 Posts

2 Users

0 Reactions

652 Views

RSS

Alistair

(@alistair)

Eminent Member

Joined: 12 years ago

Posts: 23

Topic starter 21/07/2013 8:20 pm

Hello,

I just read the SANS institute paper http//www.sans.org/reading_room/whitepapers/forensics/advantage-ext3-journaling-file-system-forensic-investigation_2011

In summary, the author recovers a deleted file's blocks through the ext3 journal and with the use of dd, manages to recover the entire file (the iNode of the file to be recovered was previously saved to simplify the proof of concept).

My question is, instead of going through this complicated procedure of tracking blocks, couldn't the author have just done a physical acquisition of the partition in question and run a file carving procedure on it?

What are the differences between these two methods?

Thanks!

Quote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

22/07/2013 4:15 am

Carving does not produce file names, file dates, or handle fragmented files.

Enough differences?

ReplyQuote

Alistair

(@alistair)

Eminent Member

Joined: 12 years ago

Posts: 23

Topic starter 23/07/2013 8:17 pm

Quite enough thanks )

ReplyQuote

Android Forensics

I have conducted a logical and partial extraction of a ...

By SgtAndroid , 2 days ago
Article: The Balance Between Digital Forensic Examiners And Digital Evidence Technicians: Expertise Vs. Efficiency

Can digital forensic labs cut backlogs without cutting ...

By Zoe , 3 days ago
Prefetch Question

Hello All, I have a question regarding Windows prefet...

By Forensic_Tester , 3 days ago

8 Forums
15.7 K Topics
92.3 K Posts
205 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed