Gone

Prerequisites & Requirements

• Linux file systems: Particularly the ext4 file system architecture
• Block allocation: How file systems allocate storage blocks to files
• Slack space fundamentals: Understanding what happens to unused bytes within allocated blocks
• Basic forensics concepts: Disk imaging and evidence preservation principles
• Command-line proficiency: Comfortable working with Linux terminal tools
• Access to a Linux environment (native or VM) since most forensics tools work best there

What Will You Learn?

• Ext4 file system internals: Understanding inodes, block mappings, and metadata structures
• Slack space forensics: A critical technique for recovering hidden or deleted data
• Using debugfs: The ext2/3/4 debugging utility for filesystem analysis
• Data recovery from raw blocks: Extracting bytes directly from disk images
• Gzip decompression: Identifying and extracting compressed data streams

Tools

• dumpe2fs: Inspect ext4 superblock and filesystem metadata
• debugfs: Interactive debugger for ext2/3/4 filesystems
• dd: Raw data extraction from specific offsets
• grep: Pattern searching (including binary patterns)
• hexdump: Viewing raw bytes in hexadecimal format
• gzip / python3: Decompressing gzip-compressed data