UFS2 files and directories can have extended attributes, which are user or system assigned name and value pairs. Extended attributes are stored in normal data blocks, and the block addresses are given in the inode. Each block contains a list of variable length data structures that have the fields shown in Table 17.9.
Byte Range |
Description |
Essential |
---|---|---|
03 |
Record length |
Yes |
44 |
Namespace (see Table 17.10) |
No |
55 |
Content padding |
Yes |
66 |
Name length |
Yes |
7(7 + name length) |
Name |
Yes |
(After name and padded to 8-byte boundary) |
Value |
Yes |
The name is padded so that the value starts on an 8-byte boundary. The value also is padded so that the next entry starts on an 8-byte boundary. The amount of padding for the name can be calculated using the name length and the amount of padding for the value is given in byte 5. The namespace value can take on one of the values given in Table 17.10.
Value |
Description |
---|---|
1 |
User |
2 |
System |
Here we see the contents of an extended attribute block with two attributes:
0000000: 3000 0000 0107 0673 6f75 7263 6500 0000 0......source... 0000016: 7777 7777 2e64 6967 6974 616c 2d65 7669 wwww.digital-evi 0000032: 6465 6e63 652e 6f72 6700 0000 0000 0000 dence.org....... 0000048: 2000 0000 0104 0464 6174 6500 0000 0000 ......date..... 0000064: 4175 6720 3132 2c20 3230 3034 0000 0000 Aug 12, 2004.... 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Bytes 0 to 3 show the record length as 48 bytes (0x30). Byte 4 shows the namespace as 1, which means it is a user attribute. We see that there are seven bytes of padding in the content, the name length is six bytes, and that the name is "source." The name ends in byte 12, so the next 8-byte boundary is byte 16. To find the ending location of the value, we subtract the starting byte from the record length and the padding length (48167 = 25). The value is the string "www.digital-evidence.org."
Part I: Foundations
Digital Investigation Foundations
Computer Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Volume Analysis
PC-based Partitions
Server-based Partitions
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Concepts
NTFS Analysis
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures
Summary
Bibliography
Bibliography