Forensic analysis of android phone using Ext4 file system journal log

Dohyun Kim, Jungheum Park, Keun Gi Lee, Sangjin Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)

Abstract

As announcing Android OS 2.3, Gingerbread, Google changed the existing file system, yaffs2 to ext2 and adopted it as official file system in android phone. Ext4, the most widely used file system in Linux, not only assists large, but also provides fault tolerance through journaling function by adopting JFSjournal file system. In journal log created through journaling function of ext4, every transaction occurred in file system is record. All transactions include all events (e.g., creating, deleting, and modifying). Therefore, analyzing journal log, we would know what file did android user access to; could recover deleted files as finding the information of previous status of them. Moreover, we could also analyze user actions if we make up timeline by utilizing timestamp recorded in journal log. Based on these facts, in this paper, we aim to analyze journal log area in ext4 file system; to develop the tool, JDForensic, that extracts journal log data to recover deleted data and analyze user actions. This tool will be usefully utilized in the first time digital forensic investigation of android phone.

Original languageEnglish
Title of host publicationLecture Notes in Electrical Engineering
Pages435-446
Number of pages12
Volume164 LNEE
EditionVOL. 1
DOIs
Publication statusPublished - 2012 Oct 9
Event7th FTRA International Conference on Future Information Technology, FutureTech 2012 - Vancouver, BC, Canada
Duration: 2012 Jun 262012 Jun 28

Publication series

NameLecture Notes in Electrical Engineering
NumberVOL. 1
Volume164 LNEE
ISSN (Print)18761100
ISSN (Electronic)18761119

Other

Other7th FTRA International Conference on Future Information Technology, FutureTech 2012
CountryCanada
CityVancouver, BC
Period12/6/2612/6/28

Fingerprint

Fault tolerance
Digital forensics
Linux

Keywords

  • Analysis of user actions
  • Android phone
  • Data recovery
  • Digital forensics
  • Ext4 file system
  • Journal log

ASJC Scopus subject areas

  • Industrial and Manufacturing Engineering

Cite this

Kim, D., Park, J., Lee, K. G., & Lee, S. (2012). Forensic analysis of android phone using Ext4 file system journal log. In Lecture Notes in Electrical Engineering (VOL. 1 ed., Vol. 164 LNEE, pp. 435-446). (Lecture Notes in Electrical Engineering; Vol. 164 LNEE, No. VOL. 1). https://doi.org/10.1007/978-94-007-4516-2_44

Forensic analysis of android phone using Ext4 file system journal log. / Kim, Dohyun; Park, Jungheum; Lee, Keun Gi; Lee, Sangjin.

Lecture Notes in Electrical Engineering. Vol. 164 LNEE VOL. 1. ed. 2012. p. 435-446 (Lecture Notes in Electrical Engineering; Vol. 164 LNEE, No. VOL. 1).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, D, Park, J, Lee, KG & Lee, S 2012, Forensic analysis of android phone using Ext4 file system journal log. in Lecture Notes in Electrical Engineering. VOL. 1 edn, vol. 164 LNEE, Lecture Notes in Electrical Engineering, no. VOL. 1, vol. 164 LNEE, pp. 435-446, 7th FTRA International Conference on Future Information Technology, FutureTech 2012, Vancouver, BC, Canada, 12/6/26. https://doi.org/10.1007/978-94-007-4516-2_44
Kim D, Park J, Lee KG, Lee S. Forensic analysis of android phone using Ext4 file system journal log. In Lecture Notes in Electrical Engineering. VOL. 1 ed. Vol. 164 LNEE. 2012. p. 435-446. (Lecture Notes in Electrical Engineering; VOL. 1). https://doi.org/10.1007/978-94-007-4516-2_44
Kim, Dohyun ; Park, Jungheum ; Lee, Keun Gi ; Lee, Sangjin. / Forensic analysis of android phone using Ext4 file system journal log. Lecture Notes in Electrical Engineering. Vol. 164 LNEE VOL. 1. ed. 2012. pp. 435-446 (Lecture Notes in Electrical Engineering; VOL. 1).
@inproceedings{aabca7f5db964909b426c04305b3521a,
title = "Forensic analysis of android phone using Ext4 file system journal log",
abstract = "As announcing Android OS 2.3, Gingerbread, Google changed the existing file system, yaffs2 to ext2 and adopted it as official file system in android phone. Ext4, the most widely used file system in Linux, not only assists large, but also provides fault tolerance through journaling function by adopting JFSjournal file system. In journal log created through journaling function of ext4, every transaction occurred in file system is record. All transactions include all events (e.g., creating, deleting, and modifying). Therefore, analyzing journal log, we would know what file did android user access to; could recover deleted files as finding the information of previous status of them. Moreover, we could also analyze user actions if we make up timeline by utilizing timestamp recorded in journal log. Based on these facts, in this paper, we aim to analyze journal log area in ext4 file system; to develop the tool, JDForensic, that extracts journal log data to recover deleted data and analyze user actions. This tool will be usefully utilized in the first time digital forensic investigation of android phone.",
keywords = "Analysis of user actions, Android phone, Data recovery, Digital forensics, Ext4 file system, Journal log",
author = "Dohyun Kim and Jungheum Park and Lee, {Keun Gi} and Sangjin Lee",
year = "2012",
month = "10",
day = "9",
doi = "10.1007/978-94-007-4516-2_44",
language = "English",
isbn = "9789400745155",
volume = "164 LNEE",
series = "Lecture Notes in Electrical Engineering",
number = "VOL. 1",
pages = "435--446",
booktitle = "Lecture Notes in Electrical Engineering",
edition = "VOL. 1",

}

TY - GEN

T1 - Forensic analysis of android phone using Ext4 file system journal log

AU - Kim, Dohyun

AU - Park, Jungheum

AU - Lee, Keun Gi

AU - Lee, Sangjin

PY - 2012/10/9

Y1 - 2012/10/9

N2 - As announcing Android OS 2.3, Gingerbread, Google changed the existing file system, yaffs2 to ext2 and adopted it as official file system in android phone. Ext4, the most widely used file system in Linux, not only assists large, but also provides fault tolerance through journaling function by adopting JFSjournal file system. In journal log created through journaling function of ext4, every transaction occurred in file system is record. All transactions include all events (e.g., creating, deleting, and modifying). Therefore, analyzing journal log, we would know what file did android user access to; could recover deleted files as finding the information of previous status of them. Moreover, we could also analyze user actions if we make up timeline by utilizing timestamp recorded in journal log. Based on these facts, in this paper, we aim to analyze journal log area in ext4 file system; to develop the tool, JDForensic, that extracts journal log data to recover deleted data and analyze user actions. This tool will be usefully utilized in the first time digital forensic investigation of android phone.

AB - As announcing Android OS 2.3, Gingerbread, Google changed the existing file system, yaffs2 to ext2 and adopted it as official file system in android phone. Ext4, the most widely used file system in Linux, not only assists large, but also provides fault tolerance through journaling function by adopting JFSjournal file system. In journal log created through journaling function of ext4, every transaction occurred in file system is record. All transactions include all events (e.g., creating, deleting, and modifying). Therefore, analyzing journal log, we would know what file did android user access to; could recover deleted files as finding the information of previous status of them. Moreover, we could also analyze user actions if we make up timeline by utilizing timestamp recorded in journal log. Based on these facts, in this paper, we aim to analyze journal log area in ext4 file system; to develop the tool, JDForensic, that extracts journal log data to recover deleted data and analyze user actions. This tool will be usefully utilized in the first time digital forensic investigation of android phone.

KW - Analysis of user actions

KW - Android phone

KW - Data recovery

KW - Digital forensics

KW - Ext4 file system

KW - Journal log

UR - http://www.scopus.com/inward/record.url?scp=84867049200&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84867049200&partnerID=8YFLogxK

U2 - 10.1007/978-94-007-4516-2_44

DO - 10.1007/978-94-007-4516-2_44

M3 - Conference contribution

AN - SCOPUS:84867049200

SN - 9789400745155

VL - 164 LNEE

T3 - Lecture Notes in Electrical Engineering

SP - 435

EP - 446

BT - Lecture Notes in Electrical Engineering

ER -