Abstract
Until recently, various researches on Linux have been conducted, but the characteristics of the filesystem that can be changed as the Linux kernel version is diversified in terms of security have not been considered. Digital forensic investigations, which are not properly analyzed for major metadata changes by kernel version, can undermine investigative capabilities and lead to serious doubts about evidence. Since investigations can be conducted on a variety of Linux filesystems at the actual forensic investigation, it is necessary to analyze metadata of various filesystems by Linux distribution and kernel version. Therefore, this paper compares the difference of metadata changes that occur when deleting files for various kernel versions of Ext2 filesystems. Furthermore, we provide information about the kernel version and change time which has the change in metadata related to file recovery.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
