Program

/

CODE BLUE 2025

Time Table

Uncovering the Past: Reconstructing File Activity from Ext4 and XFS Journals

DAY 2

14:00-14:40

In digital forensics, constructing filesystem timelines is crucial. However, conventional methods rely on MACB timestamps at disk image acquisition, which are limited to recent states and vulnerable to timestomping—and critical activity may be missed. Ext4 and XFS use journaling to protect against system crashes. These journals record low-level operations that, if decoded, provide chronological traces of past file activity without relying on standard metadata that are easier to modify. Despite open specifications, practical forensic tools for analyzing ext4 and XFS journals have been lacking. In this talk, I will introduce FJTA (Forensic Journal Timeline Analyzer), a new open-source tool designed to extract file activity from ext4 and XFS journals. I will explain journal structures, demonstrate how file operations can be reconstructed, and showcase examples of how this technique can supplement conventional forensic evidence—especially when timestamps are untrustworthy.

  • Location :

    • Track 3(Room 3)

  • Category :

    • Bluebox

  • Share :

Speakers

  • 小林 稔 の写真

    Minoru Kobayashi

    小林 稔

    Minoru Kobayashi is a forensic investigator and CSIRT member at Internet Initiative Japan Inc. His primary research interests are related to Windows/macOS/Linux digital forensics. He has presented his work at conferences such as Black Hat USA 2018 Briefings, FIRST Technical Colloquium, and JSAC (2018, 2020, 2022).