Forensic Analysis of Android Phone Using Ext4 File System Journal Log

As announcing Android OS 2.3, Gingerbread, Google changed the existing file system, yaffs2 to ext2 and adopted it as official file system in android phone. Ext4, the most widely used file system in Linux, not only assists large, but also provides fault tolerance through journaling function by adopting JFS—journal file system. In journal log created through journaling function of ext4, every transaction occurred in file system is record. All transactions include all events (e.g., creating, deleting, and modifying). Therefore, analyzing journal log, we would know what file did android user access to; could recover deleted files as finding the information of previous status of them. Moreover, we could also analyze user actions if we make up timeline by utilizing timestamp recorded in journal log. Based on these facts, in this paper, we aim to analyze journal log area in ext4 file system; to develop the tool, JDForensic, that extracts journal log data to recover deleted data and analyze user actions. This tool will be usefully utilized in the first time digital forensic investigation of android phone.