File and directory content is stored in blocks, and the allocation status of each block is stored in a block bitmap. Every block group has a bitmap for its blocks. The starting location of the bitmap is given in the group descriptor, and it is allocated at least one block.
Like other bitmaps we have seen in this book, it is organized into bytes, and the least-significant bit corresponds to the block after the most-significant bit of the previous byte. In other words, when we read the bytes we go left to right, but inside each byte we read right to left.
When we analyzed the contents of the group descriptor in our example image, we saw that the block bitmap for group 0 started in block 2. We can extract the contents of that block with dcat (or dd):
# dcat f linux-ext3 ext3.dd 2 | xxd 0000000: ffff ffff ffff ffff ffff ffff ffff ffff ................ [REMOVED] 0001168: ff01 fcff ffff 0ffe ffff ffff 03fe ffff ................
The rows of all 'f' values show that there are many allocated blocks in the beginning of block group 0. At byte 1,169 we see the value 0x01. Byte 1,169 corresponds with blocks 9,352 to 9,359. The value 0x01 shows us that block 9,352 is allocated, but blocks 9,353 to 9,359 are not.
Part I: Foundations
Digital Investigation Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures