EXT4 Journal & Inode Timestamps
Location
Filesystem journal (internal to EXT4 partition) and inode metadata via stat/debugfsDescription
EXT4 filesystem journal recording metadata transactions for crash recovery, and inode timestamps including crtime (creation/birth time), mtime (modification), atime (access), and ctime (metadata change) with nanosecond precision.
Forensic Value
The EXT4 journal enables recovery of recently deleted file metadata including filenames, sizes, and timestamps. The crtime (birth time) is immune to manipulation via the touch command (which only modifies mtime/atime/ctime), making it reliable for determining when a file was truly created. Comparing crtime against mtime detects timestomping attempts. Journal replay using debugfs can recover inode data for deleted files within the journal window.
Tools Required
Collection Commands
stat
find /home /tmp /var -type f -exec stat --format="%n|%w|%y|%z|%x" {} \; > /forensics/output/inode_timestamps.txtdebugfs
debugfs -R "logdump -a" /dev/sda1 > /forensics/output/ext4_journal.txt
find
find / -newerct "2024-01-01" -not -newerct "2024-12-31" -ls > /forensics/output/files_created_in_range.txt
fls
fls -r -m "/" /dev/sda1 > /forensics/output/fls_timeline.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Evidence Chain of Custody Compromised
Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.
Evidence Spans Multiple Jurisdictions with Conflicting Laws
Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.
Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.
Incident Responder Credentials Compromised
The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.