FJTA (Forensic Journal Timeline Analyzer) is a tool that analyzes Linux filesystem (ext4, XFS) journals (not systemd-journald logs), generates timelines, and detects suspicious activities.
Caution
Since testing is only being done with simple disk images, there may be many issues when analyzing more practical disk images.
- Journal Analysis: Scans ext4 and XFS journals to visualize modification history.
- Timeline Generation: Organizes events within the journal in chronological order.
- Suspicious Activity Detection: Identifies deleted files and potentially tampered operations.
- Cross-Platform: Written in Python, allowing analysis on any operating system.
| Artifacts | ext4 | XFS |
|---|---|---|
| inode | ✅ | ✅ |
| Directories with few entries | ✅ | ✅ |
| Directories with many entries | ✅ | ✅ |
| Short symlink target names | ✅ | ✅ |
| Long symlink target names1 | ✅ | ❌ |
| Short extended attributes | ✅ | ✅ |
| Long extended attributes2 | ✅ | ❌ |
| Non-regular files (e.g. block devices) | ✅ | ✅ |
| Year 2038 problem | ✅ | ✅ |
| Activities | ext4 | XFS |
|---|---|---|
| Creating files | ✅ | ✅ |
| Deleting files | ✅ | ✅ |
| Modification of extended attributes | ✅ | ✅ |
| Timestomping (timestamp manipulation) | ✅ | ✅ |
| Other inode metadata changes3 | ✅ | ✅ |
Tested with the following software and libraries:
- Python 3.12
- The Sleuth Kit 4.14.0
- pytsk3 20250729
- Construct 2.10.70
- python-magic 0.4.27
- libewf-python 20240506
- libvmdk-python 20240510
- libvhdi-python 20240509
Compile and install the TSK.
Note
TSK also requires other libraries such as libewf, libvmdk, and so on.
wget https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.14.0/sleuthkit-4.14.0.tar.gz
tar xvzf sleuthkit-4.14.0.tar.gz
cd sleuthkit-4.14.0
./configure
make
sudo make install
sudo echo /usr/local/lib > /etc/ld.so.conf.d/local-lib.conf
sudo ldconfigThen, clone FJTA.
git clone https://github.com/mnrkbys/fjta.git
cd fjtaFinally, install required Python packages.
python3 -m venv .venv
source .venv/bin/activate
pip install pytsk3 construct python-magic libewf-python libvmdk-python libvhdi-pythonInstall the TSK package from the Linux distribution you are using.
Note
In older versions of libvmdk, you cannot open VMDK files created with VMware Workstation for Windows (Japanese edition). The patch was integrated in 2022.
sudo apt install sleuthkit python3-tsk libewf2 libvmdk1 libvhdi1 python3-libewf python3-libvmdk python3-libvhdiThen, clone FJTA.
git clone https://github.com/mnrkbys/fjta.git
cd fjtaFinally, install required Python packages.
python3 -m venv .venv
source .venv/bin/activate
pip install construct python-magicpython ./fjta.py -i ~/ext4.img | jqpython ./fjta.py -s 0 -i ~/xfs.img | jq 'select(.inode == 101040435)' | lessThe to_epoch() function is defined in the helper.sh file, so you need to import it before executing the following command.
source scripts/helper.sh
python ./fjta.py -s 0 -i ~/xfs.img | jq --argjson threshold $(to_epoch "2025-06-23 07:33:20.123456789") 'select(.crtime >= $threshold)'python ./fjta.py -s 0 -i ~/xfs.img | jq 'select(.names? and ([.names[][]] | index("backdoor.c")))'python ./fjta.py -s 0 -i ~/xfs.img | jq 'select(.info | contains("Added EA: security.selinux"))'python ./fjta.py -s 0 -i ~/xfs.img | jq 'select(.info | test("added ea: security\\.selinux"; "i"))'...
{
"transaction_id": 3,
"action": "CREATE_INODE|CREATE_HARDLINK",
"inode": 12,
"file_type": "REGULAR_FILE",
"names": {
"2": [
"test.txt"
]
},
"mode": 420,
"uid": 0,
"gid": 0,
"size": 0,
"atime": 1729038807.9101748,
"ctime": 1729038807.9101748,
"mtime": 1729038807.9101748,
"crtime": 1729038807.9101748,
"dtime": 0.0,
"flags": 524288,
"link_count": 1,
"symlink_target": "",
"extended_attributes": [],
"device_number": {
"major": 0,
"minor": 0
},
"info": "Crtime: 2024-10-16 00:33:27.910174879 UTC|Link Count: 1"
}
...
{
"transaction_id": 23,
"action": "CREATE_INODE|ACCESS|CHANGE|MODIFY|TIMESTOMP",
"inode": 12,
"file_type": "REGULAR_FILE",
"names": {
"2": [
"test.txt"
]
},
"mode": 420,
"uid": 0,
"gid": 0,
"size": 0,
"atime": 978312225.8287878,
"ctime": 978312225.8287878,
"mtime": 978312225.8287878,
"crtime": 978312225.8287878,
"dtime": 0.0,
"flags": 524288,
"link_count": 1,
"symlink_target": "",
"extended_attributes": [],
"device_number": {
"major": 0,
"minor": 0
},
"info": "Atime: 2024-10-18 08:25:51.385837319 UTC -> 2001-01-01 01:23:45.828787850 UTC (Timestomp)|Ctime: 2024-10-18 08:25:51.385837319 UTC -> 2001-01-01 01:23:45.828787850 UTC (Timestomp)|Mtime: 2024-10-18 08:25:51.385837319 UTC -> 2001-01-01 01:23:45.828787850 UTC (Timestomp)|Crtime: 2024-10-16 00:33:27.910174879 UTC -> 2001-01-01 01:23:45.828787850 UTC (Timestomp)"
}
...- Ubuntu 24.10 with kernel 6.8.0-63
- Rocky Linux 9.4 with kernel 5.14.0-427.31.1.el9_4.x86_64
- RAW
- EWF
- VMDK
- VHD / VHDX
- Directory filesystem (ext4 and XFS partitions)
Contributions are welcome! If you wish to contribute, please fork the repository and create a feature branch. Pull requests are greatly appreciated.
- FJTA is still under development, so some filesystem data may not be available for analysis. Additionally, the output format is subject to change.
- FJTA can analyze only ext4 and XFS version 5 (inode version 3).
- FJTA does not support LVM.
- Only ext4 journals stored with "data=ordered" are supported. data=ordered is the default journaling mode in most Linux distributions.
- Fast commit on ext4 is not supported.
- External journals are not supported.
FJTA (Forensic Journal Timeline Analyzer) is released under the Apache License, Version 2.0. See the LICENSE file for more details.