Ext 2 Ext 3 File Systems File system

Ext 2 & Ext 3 File Systems File system and file structures

Three+ Optional Feature Categories • Compatible features – OS can mount even if it doesn’t support these • Incompatible features – The OS shouldn’t mount if it doesn’t support these • Read-only compatible features – Should mount as read-only if not supported • Experimental features – Can be anything added to the kernel

Structures • File System – Superblock describes the file system – Group descriptor describes a block group • Block groups are consecutive sectors that store … • Files and Directories – Directory entry points to an inode in the inode table – Inode table stores inode pointers – An inode describes a directory or file or contains the data

The Superblock • 2 sectors (1024 bytes) that describe the file system – – – Volume label Block size # blocks per group # reserved blocks before the 1 st block group The superblock group number Count of free inodes & blocks (total all groups) • An Ext* block is similar to a FAT* cluster

Superblock Locations • 1 st superblock is 1024 bytes past the beginning of the file system • Copies of the superblock are in the first block of each block group – Read-only compatible • Sparse superblock not all block groups backup the superblock – The default

Group Descriptor Table • Stores – The group descriptors • One for each block group – Starting block addresses • block bitmap • inode table – Count of free inodes & blocks for the group • Located in the block after the superblock – Backup copies are in the same block groups as the superblock backups

Block Group Layout Boot sectors (2) may precede the superblock (1 st block group) Backup Super Block Group Desc Table Block Bitmap Inode Table File Content

Block Bitmap • One bit per block in the group – size = #blocks / 8 • Linux creates a block group to have as many blocks as there are bits in a block • Thus, a block bitmap is always 1 block in size • Tracks block allocation for the group

Inode Bitmap • Tracks the allocation of inodes in the group – Size = #inodes per group / 8 • Size defined at file system creation • Typically fewer inodes than blocks per group

Inode Table • Size = # inodes * 128 bytes (inode size) • Inodes contain file and directory metadata • Directory has file/directory name and pointer to inode in the table • Inode points to the file content blocks

File System Analysis • Size = block size * #blocks – If < volume size volume slack • hidden data? • Features – Read-only compatible • Sparse superblock not all blocks backup the superblock – The default

Superblock Analysis • Always 1024 bytes from start of file system – 1 st 1024 reserved for boot code • hidden data? • Crucial, since it describes the key file system data structures – Superblock signature: 0 x. EF 53 in bytes 56 & 57 – Backup copies equally spaced signatures • Sparse superblock feature not in every group • Features flags indicate special features • Lots of free space in superblock • Hidden data?

Finding Superblock Copies (I) • • • sigfind -0 56 –l ef 53 disk-8. dd Block size: 512 Offset: 56 Block: 298661 (-) Block: 315667 (+17016) Block: 353313 (+37636) Block: 377550 (+24237) – Distances aren’t powers of two & they aren’t evenly spaced don’t appear to be superblock copies • Example from “File System Forensic Analysis”, Brian Carrier, Addison. Wesley, 2005

Finding Superblock Copies (II) • [deleted a lot • Block: 2056322 • Block: 2072706 • Block: 2105474 • Block: 2138242 • Block: 2171010 • Block: 2203778 here] (+274327) (+16384) (+32768) Looks like superblock is in sector 2056322

Finding Superblock Copies (III) • Block: • Block: 2265167 2265733 2265985 2266183 2266357 2266457 (+61389) (+566) (+252) (+198) (+174) (+100) – Distances aren’t powers of two & they aren’t evenly spaced don’t appear to be superblock copies

Ext 2 vs. Ext 3 • Inter-compatible – Ext 2 converts to Ext 3 – Ext 3 can be read by Ext 2 • Ext 3 adds journaling for consistency – Journal is a small, circular area written before writing to the disk – After crash, read the journal to ensure all write operations were completed – Redo any that were not completed

Finding Superblock Copies (IV) • • [deleted a lot Block: 2278273 Block: 2281551 Block: 2282617 Block: 2314319 Block: 2347087 Block: 2379855 Block: 2412623 here] (+2800) (+3278) (+1066) (+31702) (+32768) – Seems like we might have some superblocks? ? ?

Effects of Journaling • The superblock is journaled, just like any other data, when backup copies are made • This creates a multitude of signatures in the journal • We check the superblock copy and find – It is from an Ext 3 file system – The block group number is 3 – Thus, block group 0 must be 49, 152 sectors earlier, at sector 2, 265, 167 just after the end of the prior file system