command dumpe2fs |
Superblock |
|
The integrity of the file system directly depends on the integrity of the superblock. The operating system creates several backups of the superblock in case of partition damage. This copy of the superblock contains information in which blocks the backup of the superblock is located.
Block Group Descriptor
•Every block group contains a copy of the block group descriptor.
•Every block group is described in every block group descriptor.
•Each block group description is 32 bytes
•The Block Group Descriptor size ( in blocks ) is calculated by:
–CEILING((Num Blocks * 32) / Block Size)
12
Block Group Descriptor
The group descriptor table is a list of data structures called group descriptors; This list is stored in the file system block immediately following the superblock. In the table there is an entry for each group of blocks in the system, and each entry contains information about a certain group. The table consists of 32-byte records presented in Table. 1.
Table 1. Data structure of entries in the group descriptor table
Byte range |
Description |
The need for forensics |
|
|
|
|
|
0-3 |
The starting address of the block |
Yes |
|
bitmap |
|||
|
|
||
|
|
|
|
4-7 |
The starting address of the |
Yes |
|
bitmap Inodes |
|||
|
|
||
|
|
|
|
8-11 |
The starting address of the |
Yes |
|
Inode table |
|||
|
|
||
|
|
|
|
12-13 |
The number of free blocks in the |
No |
|
group |
|||
|
|
||
|
|
|
|
14-15 |
Number of free Inodes in the |
No |
|
group |
|||
|
|
||
|
|
|
|
16-17 |
Number of directories in a group |
No |
|
|
|
|
|
18-31 |
Not used |
No |
|
|
|
|
Block Group Descriptor
To extract the contents of the table, use the dcat command:
Record for Blocks
Group 0
Record for Blocks
Group 1
Bytes 0-3 indicate that the block bitmap is in block 2
Bytes 4-7 indicate that the inode bitmap is in block 3
Bytes 8-11 indicate that the table inodes begins at block 4
The group in this image consists of 32,768 blocks; this means that 4096 bytes (32768/8), that is, one block, is required to store a block bitmap. The group contains 16 288 Inodes; therefore, a bitmap map of Inodes will require 2036 bytes (16288/8). The table of Inodes contains 16 288 records of 128 bytes each, totaling 2 084 864 bytes. With a 4096-byte block size, the Inode table will occupy 509 blocks from block 4 to block 512.
Block Bitmap, Inode Bitmap
The contents of files and directories are stored in blocks; Information about the allocation status of each block is stored in a bitmap. A bitmap is stored in each group of blocks, which contains information about the blocks contained in it. The starting address of the bitmap is in the group descriptor. To store the bitmap is allocated at least one block.
To extract the contents of this block, use the dcat (or dd) program:
A string consisting of only “f” indicates that the group of blocks 0 begins with a long series of selected blocks.
In byte 169 we see the value 0x01. Byte 169 corresponds to blocks 9352-9359. A value of 0x01 indicates that block 9352 is allocated, and blocks 9353-9359 are free
The bitmap of inodes performs a similar function with respect to the inode table: it indicates which particular descriptors are not free.
Inodes
•Short for "Index node„
•Every file and directory in the file system is described by exactly one inode
•Inodes for each Block Group are kept in the inode table together with a bitmap
Each file on the disk corresponds to one and only one Inode of the file, which is identified by its sequence number — the file index. This means that the number of files that can be created in the file system is limited by the number of Inodes.
16
Inode Table
•contains information on each Inode in the Block Group
•These contain file metadata and also the location of the file's data block
•By interpreting the Inode it's possible to find the file's contents
–direct and indirect (single, double and triple) data block pointers
17
Inodes
Each inode has an address, starting with 1.
A set of inodes, whose size is given in the superblock, is assigned to each block group.
The inodes in each group are stored in a table, whose location is given in the group descriptor.
Given an inode address, its group can be determined with the following
calculation:
group = (inode – 1) / INODES_PER_GROUP
Inodes 1 to 10 are typically reserved and should be in an allocated state. The superblock has the value of the first non-reserved inode.
Of the reserved inodes, only number 2 has a specific function, and it is used for the root directory.
Inode 1 keeps track of bad blocks.
The journal typically uses inode 8, but this can be redefined in the superblock. The first user file is typically allocated in inode 11.
18
Inodes
Mode
Owner info
Size
Timestamps
Direct Blocks
Indirect Blocks
Double Indirect
Triple Indirect
Data
Data
Data
Data
Data
Data
Data
19
Addressing
ExtX, like UFS, was designed for efficiency of small files.
Therefore, each inode can store the addresses of the first 12 blocks that a file has allocated. These are called direct pointers.
If a file needs more than 12 blocks, a block is allocated to store the remaining addresses. The pointer to the block is called an indirect block pointer. The addresses in the block are all four bytes, and the total number in each block is based on the block size. The indirect block pointer is stored in the inode.
If a file has more blocks than can fit in the 12 direct pointers and the indirect block, a double indirect block is used. A double indirect block is when the inode points to a block that contains a list of single indirect block pointers, each of which point to blocks that contain a list of direct pointers.
Lastly, if a file needs still more space, it can use a triple indirect block
pointer. A triple indirect block contains addresses of double indirect blocks, which contain addresses of single indirect blocks.
20