I recently got a nice image of a server intrusion to analyze only to figure out they used ext4.
Tools that failed to analyse ext4 correctly:
Encase ver. 6.18
Sleuthkit ver. 3.2.0
FTK Demo ver. 1.81.6
(FTK 3.2 does not exist as a Trial / Demo Version ready for download. )
Don’t waste your time trying for now, it does not work.
What is actually pretty surprising is that
FTK Free Imager ver. 18.104.22.1683
in fact it CAN analyze ext4 and export files found within the filesystem but that’s pretty much it.
I got a trial version of Winhex 18.5 and that seems to be able to do ext4 but their demo is pretty crippled when it comes to forensics so this is where I stand right now hoping to find ext4 support in the tools I have access to ;)
I gave extundelete a try (version 0.2.0 linked against e2fsprogs 1.41.13 ) but it didn’t find anything recoverable.
Personally I think this is a major fail as ext4 was introduced within the Linux 2.6.28 kernel released on 25 December, 2008.
The next Android phones are already announced to use ext4 and Intel / Nokia are using it already for their MeeGoo.
In the end I was able to do some signature search and luckily could carve out some files I needed to go on with this case. I used our Encase for that but foremost should do the trick.