SANS Digital Forensics and Incident Response Blog: Tag - EXT4

Understanding EXT4 (Part 5): Large Extents

Hal Pomeranz, Deer Run Associates I've received a lot of positive feedback from the forensics community about this series of articles, but what's really rewarding is when other forensics researchers teach me something I didn't know. I recently received an email from a colleague in Europe who was looking at the extent trees for a … Continue reading Understanding EXT4 (Part 5): Large Extents


How to Mount Dirty EXT4 File Systems

Hal Pomeranz, Deer Run Associates As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique involves … Continue reading How to Mount Dirty EXT4 File Systems


Understanding EXT4 (Part 4): Demolition Derby

Hal Pomeranz, Deer Run Associates In Part 3 of this series we looked at the EXT4 extent tree structure for dealing with very large or very fragmented files- basically any situation where you need more than the four extent structures available in the inode. Go back and read that part now if you haven't already, … Continue reading Understanding EXT4 (Part 4): Demolition Derby


Understanding EXT4 (Part 3): Extent Trees

Hal Pomeranz, Deer Run Associates There's one more big concept we need to cover before you can really start decoding EXT4 file systems. As I mentioned in Part 1 of this series, you can only have a maximum of 4 extent structures per inode. Furthermore, there are only 16 bits in each extent structure for … Continue reading Understanding EXT4 (Part 3): Extent Trees


Understanding EXT4 (Part 2): Timestamps

Hal Pomeranz, Deer Run Associates Well I certainly didn't plan on three months elapsing between my last post on EXT4 and this follow-up, but time marches on. That was supposed to be a clever segue into the topic for this installment- the new timestamp format in the EXT4 inode. OK, I know what you all … Continue reading Understanding EXT4 (Part 2): Timestamps