UFS2 Inodes

The UFS2 inode is 128 bytes larger than its UFS1 counterpart, and it has many 64-bit fields instead of 32-bit fields. It, too, is located in an inode table, which has its offset location given in the superblock. The UFS2 inode table does not stagger, however, like a UFS1 does. The UFS2 inode has the fields given in Table 17.8.

Table 17.8. Data structure for the UFS2 inode.

Byte Range

Description

Essential

01

File mode (type and permissions) (see "Inodes" section in Chapter 15)

Yes

23

Link count

Yes

47

User ID

No

811

Group ID

No

1215

Inode block size

No

1623

Size

Yes

2431

Bytes held

No

3239

Access time

No

4047

Modified time

No

4855

Change time

No

5663

Create time

No

6467

Modified time (nanoseconds)

No

6871

Access time (nanoseconds)

No

7275

Change time (nanoseconds)

No

7679

Create time (nanoseconds)

No

8083

Generation number (NFS)

No

8487

Kernel flags

No

8891

Status flags

No

9295

Extended attributes size

No

96111

2 Direct extended attribute block pointers

No

112207

12 Direct block pointers

Yes

208215

1 Indirect block pointer

Yes

216223

1 Double indirect block pointer

Yes

224231

1 Triple indirect block pointer

Yes

232255

Unused

No

The most noticeable difference between the UFS1 and UFS2 versions is the block pointers are 64 bits, and the time values are 64 bits. The address values in the indirect blocks are also 64 bits.

We saw in our UFS2 image that the inode table starts in fragment 56. We view inode 5 as follows:


% dcat -f freebsd freebsd.dd 56 8 | dd bs=256 skip=5 count=1 | xxd

0000000: a481 0100 0000 0000 0000 0000 0000 0000 ................

0000016: 0000 2000 0000 0000 2010 0000 0000 0000 .. ..... .......

0000032: b5b3 0f41 0000 0000 b6b3 0f41 0000 0000 ...A.......A....

0000048: b6b3 0f41 0000 0000 b5b3 0f41 0000 0000 ...A.......A....

0000064: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000080: 11fe 8458 0000 0000 0000 0000 0000 0000 ...X............

0000096: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000112: e800 0000 0000 0000 f000 0000 0000 0000 ................

0000128: f800 0000 0000 0000 0001 0000 0000 0000 ................

0000144: 0801 0000 0000 0000 1001 0000 0000 0000 ................

0000160: 1801 0000 0000 0000 2001 0000 0000 0000 ........ .......

0000176: 5801 0000 0000 0000 6001 0000 0000 0000 X.......`.......

0000192: 6801 0000 0000 0000 7001 0000 0000 0000 h.......p.......

0000208: 4801 0000 0000 0000 0000 0000 0000 0000 H...............

0000224: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000230: 0000 0000 0000 0000 0000 0000 0000 0000 ................

In bytes 0 to 1 we see the mode, and the 8 shows that it is a regular file. Bytes 16 to 23 show that the file size is 2,097,152 bytes (0x00200000). The 8-byte A-time is given in bytes 32 to 39, and it translates to Tue Aug 3 15:48:05 2004 UTC.

Bytes 112 to 119 are the first direct block pointer, and we see that it is for block 232 (0xe8). The second block pointer is for block 240 (0xf0), and the block size of this image is 8 fragments per block. Bytes 208 to 215 are for the first indirect block pointer, and we see that it has allocated block 328 (0x0148) for this purpose.

The istat output for this inode is as follows:


# istat -f freebsd -z UTC freebsd.dd 5

inode: 5

Allocated

Group: 0

uid / gid: 0 / 0

mode: -rw-r--r--

size: 2097152

num of links: 1



Inode Times:

Accessed: Tue Aug 3 15:48:05 2004

File Modified: Tue Aug 3 15:48:06 2004

Inode Modified: Tue Aug 3 15:48:06 2004



Direct Blocks:

232 233 234 235 236 237 238 239

240 241 242 243 244 245 246 247

[REMOVED]

1296 1297 1298 1299 1300 1301 1302 1303

Indirect Blocks:

328 329 330 331 332 333 334 335


Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net