EXT4 Journal & Inode Timestamps

linuxFilesystem & TimelineDisk Image

Location

Filesystem journal (internal to EXT4 partition) and inode metadata via stat/debugfs

Description

EXT4 filesystem journal recording metadata transactions for crash recovery, and inode timestamps including crtime (creation/birth time), mtime (modification), atime (access), and ctime (metadata change) with nanosecond precision.

Forensic Value

The EXT4 journal enables recovery of recently deleted file metadata including filenames, sizes, and timestamps. The crtime (birth time) is immune to manipulation via the touch command (which only modifies mtime/atime/ctime), making it reliable for determining when a file was truly created. Comparing crtime against mtime detects timestomping attempts. Journal replay using debugfs can recover inode data for deleted files within the journal window.

Tools Required

debugfsstatextundeleteSleuth Kit (istat, fls)Autopsy

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical