I was looking for the exact differences between the Linux file systems EXT2 and EXT3, other than journaling, when I came across Wesley McGrew’s lecture about ext2/3 forensics. Keep in mind the lecture should be thought of as an Introduction to ext2/3 forensics.
It should be helpful for forensics or to retrieve data from a failing drive.
Tommorow at 8:00AM, I will be giving a lecture to the CSE 4273/6273 Computer Crime and Forensics class here at Mississippi State University. I was asked to speak on the topic of “Linux Filesystems”, and I have chosen to focus on the ext2 and ext3 filesystem data structures. The class is using the excellent “File System Forensic Analysis” by Brian Carrier as its textbook, so it’s a great opportunity to cover the chapters on ext2/3 (chapters 14 & 15).
It’s a 50-minute class, and pretty strictly so, since the Information and Computer Security class is held immediately afterwards :). Due to the limited time I have, I’ve scaled back my coverage of these two chapters to what you see in the following slides. I’m focusing on the basic data structures used by “extx” to point at files and metadata, such as the superblock, group descriptor tables, and inodes. I’ve included an example of finding a file on a filesystem using only dd piped through xxd and less, and some discussion of what a forensic examiner or someone tasked with data recovery should be on the look-out for.
Unfortunately with this PDF version of the slides, you won’t see the slick Keynote animations I’ve worked into my lecture. I’m considering expanding the detail and coverage of this, and recording the slideshow as a video with narration for this site: