A Technique for Measuring Data Persistence Using the Ext4 File System Journal

In this paper, we propose a method of measuring data persistence using the Ext4 journal. Digital Forensic tools and techniques are commonly used to extract data from media. A great deal of research has been dedicated to the recovery of deleted data, however, there is a lack of information on quantifying the chance that an investigator will be successful in this endeavor. To that end, we suggest the file system journal be used as a source to gather empirical evidence of data persistence, which can later be used to formulate the probability of recovering deleted data under various conditions. Knowing this probability can help investigators decide where to best invest their resources. We have implemented a proof of concept system that interrogates the Ext4 file system journal and logs relevant data. We then detail how this information can be used to track the reuse of data blocks from the examination of file system metadata structures. This preliminary design contributes a novel method of tracking deleted data persistence that can be used to generate the information necessary to formulate probability models regarding the full and/or partial recovery of deleted data.