ExtSFR: scalable file recovery framework based on an Ext file system

  • Seokjun Lee
  • Wooyeon Jo
  • Soowoong Eo
  • Taeshik ShonEmail author


As the technologies based on the Internet of Things, the Cloud, Big Data, and mobile technology have recently become the engine of the next-generation fusion environment, the use of consumer electronics with Linux/Unix-based operating systems which include mobile and embedded operating systems has been gradually increasing. As these technologies are applied in the real world, digital forensics and post-processing techniques in the next-generation environment are required for security/privacy perspective. In this paper, an Ext2/3/4 file system’s file recovery framework which is suitable for the next-generation environment is proposed. Also, Ext4 used from small to large size file systems in recent consumer electronics such as home appliances, mobile devices, home-office devices, entertainment devices, etc. The proposed framework takes the various Ext4 file systems created in the IoT/Cloud/Big Data/mobile environment into account, and it is configured to accommodate not only Ext4 used mainly in the recent environment but also Ext2/3 legacy environment. Additionally, the proposed framework is implemented as a prototype and validated it by comparing it with the existing commercial technologies, showing that the accuracy and efficiency of the prototype of the proposed framework for large file system recovery rates are superior to those of the existing technologies.


Consumer electronics Data recovery Data security Digital forensics File systems 



This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No.2018-0-01000, Development of Digital Forensic Integration Platform).


  1. 1.
    Alazab M, Venkatraman S, Watters P (2009) Effective digital forensic analysis of the NTFS disk image. Ubiquitous Comput Commun J 4(1):551–558Google Scholar
  2. 2.
    Carrier B (2005) Filesystem forensic analysis. Addison-WesleyGoogle Scholar
  3. 3.
    Diskinternals Linux Recovery,, Accessed Sep 1, 2018
  4. 4.
    Gregorio N (2007) Taking advantage of Ext3 journaling filesystem in a forensic investigation. SANS Institute:10–35Google Scholar
  5. 5.
    Kevin D (2012) An analysis of Ext4 for digital forensics. Digit Investig 9:S118–S130CrossRefGoogle Scholar
  6. 6.
    Lee S, Shon T (2014) Physical memory collection and analysis in SmartGrid embedded platform. MONET, ACM/Springer 19(3):382–391Google Scholar
  7. 7.
    Lee S, Shon T (2014) Improved deleted file recovery technique for Ext2/3 filesystem. J Supercomput 70(1):20–30CrossRefGoogle Scholar
  8. 8.
    Nabity P, Landry BJL (2010) Recovering Deleted and Wiped Files: A Digital Forensic Comparison of FAT32 and NTFS File Systems using Evidence Eliminator, Proceedings of the Southwest Decision Sciences Institute (SWDSI)Google Scholar
  9. 9.
    Naiqi L, Zhongshan W, Yujie H (2008) QinKe, computer forensics research and implementation based on NTFS file system, computing, communication, control, and management, 2008. CCCM '08. ISECS Int Colloquium 1:519–523Google Scholar
  10. 10.
    Nisbet A, Lawrence S, Ruff M (2013) A forensic analysis and comparison of solid state drive data retention with Trim enabled file systems, 11th Australian digital forensics conference. Edith Cowan Univ:103–111Google Scholar
  11. 11.
    Park Y, Chang H, Shon T (2015) Data investigation based on XFS filesystem metadata. Multimed Tools Appl 75(22):14721–14743CrossRefGoogle Scholar
  12. 12.
    Piper S, Davis M, Manes G, Shenoi S (2005) Detecting hidden data in Ext2/Ext3 filesystems, advances in digital forensics. Int Fed Inform Proc 14:245–256Google Scholar
  13. 13.
    Poisel R, Tjoa S, Tavolato P (2011) Advanced File Carving Approaches for Multimedia Files, Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications. 42–58Google Scholar
  14. 14.
    G.G. Richard, V. Roussev, Next-generation digital forensics, Commun ACM 49(2), 2006, pp. 76–80Google Scholar
  15. 15.
    Seo J, Lee S, Shon T (2015) A study on memory dump analysis based on digital forensic tools. Peer-to-Peer Network Appl Springer 8(4):694–703CrossRefGoogle Scholar
  16. 16.
    The Sleuth Kit,, Accessed Sep 1, 2018
  17. 17.
    UFS Explorer Professional,, Accessed Sep 1, 2018
  18. 18.
    Veenman C (2007) Statistical disk cluster classification for file carving. Proc IAS '07 Proc Third Int Symp Inform Assur Sec:393–398Google Scholar
  19. 19.
    Yoo B, Park J, Lim S, Bang J, Lee S (2012) A study on multimedia file carving method. Multimed Tools Appl 61(1):243–261CrossRefGoogle Scholar
  20. 20.
    Zhao S, Fei J, Liu N, Wu D (2008) Research and implementation of data recovery on windows NTFS. Comput Eng DesGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceKennesaw State UniversityMariettaUSA
  2. 2.Department of Computer EngineeringAjou UniversitySuwonSouth Korea

Personalised recommendations