Addressing
Inodes
•Each inode contains four types of structure:
–12 direct Block Pointers
–1 Indirect Block Pointer
–1 Double Indirect Block Pointer
–1 Triple Indirect Block Pointer
21
Inodes |
Addressing |
Direct Pointers
(12)
Single Indirect
Block Pointer
direct pointers
Double Indirect |
direct pointers |
indirect pointer |
|
Block Pointer |
|
|
direct pointers |
|
|
direct pointers |
|
Triple Indirect |
indirect pointer |
indirect pointer |
|
Block Pointer |
direct pointers |
||
|
|||
|
|
||
|
|
indirect pointer |
|
|
|
direct pointers |
Data
…
Data
Data
…
Data
Data
…
Data
Data
…
Data
up to 12
block address is 4 bytes. The number of addresses in the block depends on the block size
Data
Data
Data
Inodes
Inode (example)
File mode |
size of the file |
A-time |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
direct block pointers
indirect block pointers
Bytes 0 to 1 show the mode, which is 0x81a4. These bits show us that everyone can read this file (0x004), the group can read (0x020), the user can write (0x080), and the user can read (0x100). The upper four bits show that it is a regular file (0x8000).
Bytes 4 to 7 show that the size of the file is 10,240,000 bytes (0x009c4000).
Bytes 8 to 11 show the A-time as 0x3f2a096d, which translates to August 1, 2003 at 06:32:13 UTC.
Bytes 26 to 27 show the link count is 1, which means that there is a file name pointing to it. Bytes 32 to 35 show that there are no special flags or attributes set.
Bytes 40 to 43 are for the first , and they are for block 14,380
(0x0000382c). Bytes 44 to 47 are for the second direct pointer, and they are for block 14,381 (0x0000382d). Bytes 88 to 91 contain the address of a single indirect block pointer, which is in block 14,392 (0x00003838). Bytes 92 to 95 also show a double indirect block pointer in block 15,417 (0x00003c39).
24
The contents of both of these blocks will be a list of 4-byte addresses.
The single indirect block pointer contains a list of addresses where file content is stored:
…
The allocation status of an inode is stored in the inode bitmap, which is located in the same group as the inode. The group descriptor contains the block address of the inode bitmap, and our example image has its bitmap in block 3, whose contents are shown here:
25
Root Directory
•Root directory is always Inode 2
•Directory entries are block(s) that contain Name / Inode pairs
–these are the contents of the directory.
Directory entries are used to store file names and directories. They are located in blocks allocated to a directory and contain the addresses of index nodes representing files and directories.
26
Root Directory
Directory entries
Lecture № 1
Name of files
Звіт про роботу 
•inode number of the file,
•record size,
•the length of the file name,
•file name.
Inodes
Blocks with content of files
Metadata
Data |
Data |
Data |
Metadata
Table of Inodes
When the operating system tries to find the location of a file (or directory) on the disk, it loads the contents of each directory specified in the path to the file (or directory) into memory in order to find the inode of the next directory specified in the path. Directory traversal continues until the desired file or directory is found.
Directory
There are two directory entry structure formats, but both versions are the same size.
|
Byte range |
Description |
The need for forensics |
|
|
|
|
|
0 - 3 |
Index node value |
Yes |
|
|
|
|
|
4 - 5 |
Record length |
Yes |
|
|
|
|
|
6 - 7 |
Name length |
Yes |
|
|
|
|
|
84 - |
ASCII file or directory name |
Yes |
|
|
|
|
For each name in the directory, there is one structure that refers to an index node with metadata.
28
The data structure of the second version of the directory entry
Byte range |
Description |
The need for forensics |
0-3 |
Index node value |
Yes |
4-5 |
Record length |
Yes |
6-6 |
Name length |
Yes |
7-7 |
File type |
No |
8+ |
ASCII file or directory name |
Yes |
Valid values for file type field in directory entries Permission flag Description
0
1
2
3
4
5
6
7
29
Directory
icat command.
The test image uses the new version directory entries, and the index node 69 457 corresponds to the directory
1st entry |
We see in bytes 0 to 3 that the inode corresponding to the |
|
|
|
first entry is 69,457 (0x010f51), |
|
|
and bytes 4 to 5 show that the directory entry is 12 bytes |
|
|
(0x0c). Byte 6 shows that the name |
|
|
is 1 byte long, and byte 7 shows that the entry is for a |
|
|
directory (0x02). The name is given in |
|
|
byte 8 and we see that it is '.' This corresponds to the |
|
|
directory entry for the current directory. |
|
|
We can do a sanity check by comparing the inode in the |
|
|
entry with the inode value we used with icat to display the |
|
|
contents, and we see that they are both 69,457. |
|
|
To find the second entry, we add the length of the first |
|
|
entry to its start, which means that the second entry will |
|
|
start in byte 12. We see in bytes 16 to 17 that the length of |
|
|
this entry is also 12 bytes, and it is for the '..' directory. |
|
|
To find the third entry, we add the length of the second |
|
|
entry to its start and get byte 24. We see in bytes 28 to 29 |
|
|
that the entry length is 40 bytes (0x28). Byte 30 shows the |
|
|
name length is 11 (0x0b). The name starts at byte 32 and |
|
|
extends until byte 42, and it contains the string |
|
|
abcdefg.txt. |
30