4.2.Ext2 & Ext3 File Systems

advertisement
Ext2 & Ext3 File Systems
File system and file structures
Three+ Optional Feature
Categories
• Compatible features
– OS can mount even if it doesn’t support these
• Incompatible features
– The OS shouldn’t mount if it doesn’t support
these
• Read-only compatible features
– Should mount as read-only if not supported
• Experimental features
– Can be anything added to the kernel
Structures
• File System
– Superblock describes the file system
– Group descriptor describes a block group
• Block groups are consecutive sectors that store …
• Files and Directories
– Directory entry points to an inode in the inode table
– Inode table stores inode pointers
– An inode describes a directory or file or contains the
data
The Superblock
• 2 sectors (1024 bytes) that describe the file
system
–
–
–
–
–
–
Volume label
Block size
# blocks per group
# reserved blocks before the 1st block group
The superblock block group number
Count of free inodes & blocks (total all groups)
• An Ext* block is similar to a FAT* cluster
Superblock Locations
• 1st superblock is1024 bytes past the
beginning of the file system
• Copies of the superblock are in the first
block of each block group
– Read-only compatible
• Sparse superblock  not all block groups backup
the superblock
– The default
Group Descriptor Table
• Stores
– The group descriptors
• One for each block group
– Starting block addresses
• block bitmap
• inode bitmap
• inode table
– Count of free inodes & blocks for the group
• Located in the block after the superblock
– Backup copies are in the same block groups as the
superblock backups
Block Group Layout
Boot sectors (2) may precede the
superblock (1st block group)
Backup
Super
Block
Group
Desc
Table
Block
Bitmap
Inode
Bitmap
Inode
Table
File Content
Block Bitmap
• One bit per block in the group
–  size = #blocks / 8
• Linux creates a block group to have as many
blocks as there are bits in a block
• Thus, a block bitmap is always 1 block in size
• Tracks block allocation for the group
Inode Bitmap
• Tracks the allocation of inodes in the
group
– Size = #inodes per group / 8
• Size defined at file system creation
• Typically fewer inodes than blocks per group
Inode Table
• Size = # inodes * 128 bytes (inode size)
• Inodes contain file and directory metadata
• Directory has file/directory name and
pointer to inode in the table
• Inode points to the file content blocks
File System Analysis
• Size = block size * #blocks
– If < volume size  volume slack
• hidden data?
• Features
– Read-only compatible
• Sparse superblock  not all blocks backup the
superblock
– The default
Superblock Analysis
• Always 1024 bytes from start of file system
– 1st 1024 reserved for boot code
• hidden data?
• Crucial, since it describes the key file system
data structures
– Superblock signature: 0xEF53 in bytes 56 & 57
– Backup copies  equally spaced signatures
• Sparse superblock feature  not in every group
• Features flags indicate special features
• Lots of free space in superblock
• Hidden data?
Finding Superblock Copies (I)
•
•
•
•
•
•
sigfind -0 56 –l ef53 disk-8.dd
Block size: 512 Offset: 56
Block: 298661 (-)
Block: 315667 (+17016)
Block: 353313 (+37636)
Block: 377550 (+24237)
– Distances aren’t powers of two & they aren’t evenly
spaced  don’t appear to be superblock copies
• Example from “File System Forensic Analysis”, Brian Carrier, AddisonWesley, 2005
Finding Superblock Copies (II)
• [deleted a lot
• Block: 2056322
• Block: 2072706
• Block: 2105474
• Block: 2138242
• Block: 2171010
• Block: 2203778
here]
(+274327)
(+16384)
(+32768)
(+32768)
(+32768)
(+32768)
Looks like superblock is in sector 2056322
Finding Superblock Copies (III)
• Block:
• Block:
• Block:
• Block:
• Block:
• Block:
2265167
2265733
2265985
2266183
2266357
2266457
(+61389)
(+566)
(+252)
(+198)
(+174)
(+100)
– Distances aren’t powers of two & they aren’t
evenly spaced  don’t appear to be
superblock copies
Ext 2 vs. Ext 3
• Inter-compatible
– Ext2 converts to Ext3
– Ext3 can be read by Ext2
• Ext3 adds journaling for consistency
– Journal is a small, circular area written before
writing to the disk
– After crash, read the journal to ensure all write
operations were completed
– Redo any that were not completed
Finding Superblock Copies (IV)
•
•
•
•
•
•
•
•
[deleted a lot
Block: 2278273
Block: 2281551
Block: 2282617
Block: 2314319
Block: 2347087
Block: 2379855
Block: 2412623
here]
(+2800)
(+3278)
(+1066)
(+31702)
(+32768)
(+32768)
(+32768)
– Seems like we might have some superblocks???
Effects of Journaling
• The superblock is journaled, just like any other
data, when backup copies are made
• This creates a multitude of signatures in the
journal
• We check the superblock copy and find
– It is from an Ext3 file system
– The block group number is 3
– Thus, block group 0 must be 49,152 sectors earlier, at
sector 2,265,167 just after the end of the prior file
system
Download