While in other file systems it is possible to reclaim deleted files in the remaining metadata, in Ext4 file systems all relevant information for this purpose is deleted. This makes a reconstruction of deleted files without further information impossible. As standard file system for modern Linux distributions and Android, a broadly implemented operating
system for mobile devices, Ext4 is omnipresent in its use.
In the case of computer criminality, when evidence traces have been destroyed, a restoration of deleted data is crucial to convicting the offender. For this reason, the present work on the analysis of the Ext4 file system journal is taken to task. Hereby it will be to establish, if the Journal, as source for old information is suitable and, as far as possible, to reconstruct deleted files from extracted journal data.
To this end, the necessary basics and the structures of the Ext4 file system will be described in detail. Beyond this, the structure of the journal and its functionalities will be
examined, thereby, in the course of this work, a forensic usefulness will be derived. Based on the gained knowledge, a concept will be developed to make possible the reconstruction of deleted files. In addition, the concept shall be implemented in the form of a prototype and the results based on the reconstruction of the fragmented files evaluated.