EXT4 Journal & Inode Timestamps

LinuxFilesystem & TimelineDisk Image

Location

Filesystem journal (internal to EXT4 partition) and inode metadata via stat/debugfs

Description

EXT4 filesystem journal recording metadata transactions for crash recovery, and inode timestamps including crtime (creation/birth time), mtime (modification), atime (access), and ctime (metadata change) with nanosecond precision.

Forensic Value

The EXT4 journal enables recovery of recently deleted file metadata including filenames, sizes, and timestamps. The crtime (birth time) is immune to manipulation via the touch command (which only modifies mtime/atime/ctime), making it reliable for determining when a file was truly created. Comparing crtime against mtime detects timestomping attempts. Journal replay using debugfs can recover inode data for deleted files within the journal window.

Tools Required

debugfsstatextundeleteSleuth Kit (istat, fls)Autopsy

Collection Commands

stat

find /home /tmp /var -type f -exec stat --format="%n|%w|%y|%z|%x" {} \; > /forensics/output/inode_timestamps.txt

debugfs

debugfs -R "logdump -a" /dev/sda1 > /forensics/output/ext4_journal.txt

find

find / -newerct "2024-01-01" -not -newerct "2024-12-31" -ls > /forensics/output/files_created_in_range.txt

fls

fls -r -m "/" /dev/sda1 > /forensics/output/fls_timeline.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1070.006T1070.004T1083

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Used in Procedures

Document Chain of Custody for All Collected Evidence

preserve

Validate Backup Integrity Before Restoration

recover

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage