A Method for Historical Ext3 Inode to Filename Translation on Honeypots

In an environment where computer compromises are no longer anomalies, but are frequent occurrences, the field of computer forensics has increasingly gained importance. The development of this forensic field is matched by a growth in anti-forensic techniques. To overcome potential difficulties with external applications, operating systems should contain methods for storing and protecting meaningful information. The Linux Ext3 journal is one source of information that should be fully utilized for its intended purpose and forensics as well. However, due to its limited size and circular nature, this source of information has restrictions that can be addressed by the operating system. For example, when collecting and examining Ext3 journal data, it can be difficult to determine the filename that an inode number is associated with. In this paper, the design of a method for honeypots is presented which takes advantage of the virtual file system layer in Linux to address this difficulty. This technique allows the translation of inode numbers to filenames in a historical context thereby providing a forensic analyst with a better picture of what has transpired.