Until recently, various researches on Linux have been conducted, but the characteristics of the filesystem that can be changed as the Linux kernel version is diversified in terms of security have not been considered. Digital forensic investigations, which are not properly analyzed for major metadata changes by kernel version, can undermine investigative capabilities and lead to serious doubts about evidence. Since investigations can be conducted on a variety of Linux filesystems at the actual forensic investigation, it is necessary to analyze metadata of various filesystems by Linux distribution and kernel version. Therefore, this paper compares the difference of metadata changes that occur when deleting files for various kernel versions of Ext2 filesystems. Furthermore, we provide information about the kernel version and change time which has the change in metadata related to file recovery.
This research was supported by Energy Cloud R&D Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT (2019M3F2A1073386)ACKNOWLEDGMENT This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2018-0-01000, Development of Digital Forensic Integration Platform).
