Ext2 - PowerPoint PPT Presentation

About This Presentation
Title:

Ext2

Description:

Ext2 & Ext3 File Systems File system and file structures ... Effects of Journaling The superblock is journaled, just like any other data, ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 19
Provided by: Bac149
Learn more at: http://webpages.sou.edu
Category:
Tags: ext2 | journaling

less

Transcript and Presenter's Notes

Title: Ext2


1
Ext2 Ext3 File Systems
  • File system and file structures

2
Three Optional Feature Categories
  • Compatible features
  • OS can mount even if it doesnt support these
  • Incompatible features
  • The OS shouldnt mount if it doesnt support
    these
  • Read-only compatible features
  • Should mount as read-only if not supported
  • Experimental features
  • Can be anything added to the kernel

3
Structures
  • File System
  • Superblock describes the file system
  • Group descriptor describes a block group
  • Block groups are consecutive sectors that store
  • Files and Directories
  • Directory entry points to an inode in the inode
    table
  • Inode table stores inode pointers
  • An inode describes a directory or file or
    contains the data

4
The Superblock
  • 2 sectors (1024 bytes) that describe the file
    system
  • Volume label
  • Block size
  • blocks per group
  • reserved blocks before the 1st block group
  • The superblock block group number
  • Count of free inodes blocks (total all groups)
  • An Ext block is similar to a FAT cluster

5
Superblock Locations
  • 1st superblock is1024 bytes past the beginning of
    the file system
  • Copies of the superblock are in the first block
    of each block group
  • Read-only compatible
  • Sparse superblock ? not all block groups backup
    the superblock
  • The default

6
Group Descriptor Table
  • Stores
  • The group descriptors
  • One for each block group
  • Starting block addresses
  • block bitmap
  • inode bitmap
  • inode table
  • Count of free inodes blocks for the group
  • Located in the block after the superblock
  • Backup copies are in the same block groups as the
    superblock backups

7
Block Group Layout
Boot sectors (2) may precede the superblock (1st
block group)
Backup Super Block
Group Desc Table
Block Bitmap
Inode Bitmap
Inode Table
File Content
8
Block Bitmap
  • One bit per block in the group
  • ? size blocks / 8
  • Linux creates a block group to have as many
    blocks as there are bits in a block
  • Thus, a block bitmap is always 1 block in size
  • Tracks block allocation for the group

9
Inode Bitmap
  • Tracks the allocation of inodes in the group
  • Size inodes per group / 8
  • Size defined at file system creation
  • Typically fewer inodes than blocks per group

10
Inode Table
  • Size inodes 128 bytes (inode size)
  • Inodes contain file and directory metadata
  • Directory has file/directory name and pointer to
    inode in the table
  • Inode points to the file content blocks

11
File System Analysis
  • Size block size blocks
  • If lt volume size ? volume slack
  • hidden data?
  • Features
  • Read-only compatible
  • Sparse superblock ? not all blocks backup the
    superblock
  • The default

12
Superblock Analysis
  • Always 1024 bytes from start of file system
  • 1st 1024 reserved for boot code
  • hidden data?
  • Crucial, since it describes the key file system
    data structures
  • Superblock signature 0xEF53 in bytes 56 57
  • Backup copies ? equally spaced signatures
  • Sparse superblock feature ? not in every group
  • Features flags indicate special features
  • Lots of free space in superblock
  • Hidden data?

13
Finding Superblock Copies (I)
  • sigfind -0 56 l ef53 disk-8.dd
  • Block size 512 Offset 56
  • Block 298661 (-)
  • Block 315667 (17016)
  • Block 353313 (37636)
  • Block 377550 (24237)
  • Distances arent powers of two they arent
    evenly spaced ? dont appear to be superblock
    copies
  • Example from File System Forensic Analysis,
    Brian Carrier, Addison-Wesley, 2005

14
Finding Superblock Copies (II)
  • deleted a lot here
  • Block 2056322 (274327)
  • Block 2072706 (16384)
  • Block 2105474 (32768)
  • Block 2138242 (32768)
  • Block 2171010 (32768)
  • Block 2203778 (32768)

Looks like superblock is in sector 2056322
15
Finding Superblock Copies (III)
  • Block 2265167 (61389)
  • Block 2265733 (566)
  • Block 2265985 (252)
  • Block 2266183 (198)
  • Block 2266357 (174)
  • Block 2266457 (100)
  • Distances arent powers of two they arent
    evenly spaced ? dont appear to be superblock
    copies

16
Ext 2 vs. Ext 3
  • Inter-compatible
  • Ext2 converts to Ext3
  • Ext3 can be read by Ext2
  • Ext3 adds journaling for consistency
  • Journal is a small, circular area written before
    writing to the disk
  • After crash, read the journal to ensure all write
    operations were completed
  • Redo any that were not completed

17
Finding Superblock Copies (IV)
  • deleted a lot here
  • Block 2278273 (2800)
  • Block 2281551 (3278)
  • Block 2282617 (1066)
  • Block 2314319 (31702)
  • Block 2347087 (32768)
  • Block 2379855 (32768)
  • Block 2412623 (32768)
  • Seems like we might have some superblocks???

18
Effects of Journaling
  • The superblock is journaled, just like any other
    data, when backup copies are made
  • This creates a multitude of signatures in the
    journal
  • We check the superblock copy and find
  • It is from an Ext3 file system
  • The block group number is 3
  • Thus, block group 0 must be 49,152 sectors
    earlier, at sector 2,265,167 just after the end
    of the prior file system
Write a Comment
User Comments (0)
About PowerShow.com