#26 Use Ext3 journal for file recovery

[Brian Carrier]

The Ext3 journal may contain copies of a file's inode before the file was deleted (Ext3 wipes block pointers when a file is deleted). Searching the journal for inodes may allow deleted files to be recovered.

TSK can already parse the journal and cycle through it, but it does not actually use it. It probably should some how. There are obvious questions about usability though and how to identify that you want version X of file Y (where a version could be the current version of the inode or one of the previous versions). The design choice should also be applicable to NTFS because it stores data in a journal as well.