Вы находитесь на странице: 1из 18

Ext2 & Ext3 File Systems

File system and file structures

Three+ Optional Feature


Categories
Compatible features
OS can mount even if it doesnt support these

Incompatible features
The OS shouldnt mount if it doesnt support
these

Read-only compatible features


Should mount as read-only if not supported

Experimental features
Can be anything added to the kernel

Structures
File System
Superblock describes the file system
Group descriptor describes a block group
Block groups are consecutive sectors that store

Files and Directories


Directory entry points to an inode in the inode table
Inode table stores inode pointers
An inode describes a directory or file or contains the
data

The Superblock
2 sectors (1024 bytes) that describe the file
system

Volume label
Block size
# blocks per group
# reserved blocks before the 1st block group
The superblock block group number
Count of free inodes & blocks (total all groups)

An Ext* block is similar to a FAT* cluster

Superblock Locations
1st superblock is1024 bytes past the
beginning of the file system
Copies of the superblock are in the first
block of each block group
Read-only compatible
Sparse superblock not all block groups backup
the superblock
The default

Group Descriptor Table


Stores
The group descriptors
One for each block group

Starting block addresses


block bitmap
inode bitmap
inode table

Count of free inodes & blocks for the group

Located in the block after the superblock


Backup copies are in the same block groups as the
superblock backups

Block Group Layout


Boot sectors (2) may precede the
superblock (1st block group)
Backup
Super
Block

Group
Desc
Table

Block
Bitmap

Inode
Bitmap

Inode
Table

File Content

Block Bitmap
One bit per block in the group
size = #blocks / 8
Linux creates a block group to have as many
blocks as there are bits in a block
Thus, a block bitmap is always 1 block in size

Tracks block allocation for the group

Inode Bitmap
Tracks the allocation of inodes in the
group
Size = #inodes per group / 8
Size defined at file system creation
Typically fewer inodes than blocks per group

Inode Table
Size = # inodes * 128 bytes (inode size)
Inodes contain file and directory metadata
Directory has file/directory name and
pointer to inode in the table
Inode points to the file content blocks

File System Analysis


Size = block size * #blocks
If < volume size volume slack
hidden data?

Features
Read-only compatible
Sparse superblock not all blocks backup the
superblock
The default

Superblock Analysis
Always 1024 bytes from start of file system
1st 1024 reserved for boot code
hidden data?

Crucial, since it describes the key file system


data structures
Superblock signature: 0xEF53 in bytes 56 & 57
Backup copies equally spaced signatures
Sparse superblock feature not in every group

Features flags indicate special features


Lots of free space in superblock
Hidden data?

Finding Superblock Copies (I)

sigfind -0 56 l ef53 disk-8.dd


Block size: 512 Offset: 56
Block: 298661 (-)
Block: 315667 (+17016)
Block: 353313 (+37636)
Block: 377550 (+24237)
Distances arent powers of two & they arent evenly
spaced dont appear to be superblock copies

Example from File System Forensic Analysis, Brian Carrier, AddisonWesley, 2005

Finding Superblock Copies (II)


[deleted a lot
Block: 2056322
Block: 2072706
Block: 2105474
Block: 2138242
Block: 2171010
Block: 2203778

here]
(+274327)
(+16384)
(+32768)
(+32768)
(+32768)
(+32768)

Looks like superblock is in sector 2056322

Finding Superblock Copies (III)


Block:
Block:
Block:
Block:
Block:
Block:

2265167
2265733
2265985
2266183
2266357
2266457

(+61389)
(+566)
(+252)
(+198)
(+174)
(+100)

Distances arent powers of two & they arent


evenly spaced dont appear to be
superblock copies

Ext 2 vs. Ext 3


Inter-compatible
Ext2 converts to Ext3
Ext3 can be read by Ext2

Ext3 adds journaling for consistency


Journal is a small, circular area written before
writing to the disk
After crash, read the journal to ensure all write
operations were completed
Redo any that were not completed

Finding Superblock Copies (IV)

[deleted a lot
Block: 2278273
Block: 2281551
Block: 2282617
Block: 2314319
Block: 2347087
Block: 2379855
Block: 2412623

here]
(+2800)
(+3278)
(+1066)
(+31702)
(+32768)
(+32768)
(+32768)

Seems like we might have some superblocks???

Effects of Journaling
The superblock is journaled, just like any other
data, when backup copies are made
This creates a multitude of signatures in the
journal
We check the superblock copy and find
It is from an Ext3 file system
The block group number is 3
Thus, block group 0 must be 49,152 sectors earlier, at
sector 2,265,167 just after the end of the prior file
system