Time Table

In digital forensics, constructing filesystem timelines is crucial. However, conventional methods rely on MACB timestamps at disk image acquisition, which are limited to recent states and vulnerable to timestomping—and critical activity may be missed. Ext4 and XFS use journaling to protect against system crashes. These journals record low-level operations that, if decoded, provide chronological traces of past file activity without relying on standard metadata that are easier to modify. Despite open specifications, practical forensic tools for analyzing ext4 and XFS journals have been lacking. In this talk, I will introduce FJTA (Forensic Journal Timeline Analyzer), a new open-source tool designed to extract file activity from ext4 and XFS journals. I will explain journal structures, demonstrate how file operations can be reconstructed, and showcase examples of how this technique can supplement conventional forensic evidence—especially when timestamps are untrustworthy.