In incident analysis, especially in the field of postmortem file system analysis, the reconstruction of lost or deleted files plays an important role. The techniques that can be applied to this end strongly depend on the specifics of the file system in question. Various file systems are already well-investigated, such as FAT16/32, NTFS for Microsoft Windows systems, and Ext2/3 as the most common file system for Linux systems. There also exist tools, such as the famous Sleuthkit (Carrier, The sleuth kit (TSK), 2010), that provide file recovery features for those file systems by interpreting the file system internal data structures. In case of an Ext file system, the interpretation of the so-called superblock is essential to interpret the data. The Ext4 file system can mainly be analyzed with the tools and techniques that have been developed for its predecessor Ext3, because most principles and internal structures remained unchanged. However, some innovations have been implemented that have to be considered in incident analysis when it comes to manual analysis, or choosing appropriate tools and the interpretation of results. In this article, we report on changes in Ext4 compared to Ext3 that are relevant for incident analysis and illustrate why in cases where the superblock has been corrupted or overwritten, e.g. because of a reformatting of the volume, traditional approaches and tools might fail and for those cases refer to an open source tool that we published earlier this year.