Group Descriptor Tables

The group descriptor table is a list of group descriptor data structures that is located in the file system block following the superblock. The table has an entry for every block group in the file system, and each entry contains information about that group. Each entry is only 32 bytes and has the fields given in Table 15.9.

Table 15.9. Data structure for the group descriptor table entries.

Byte Range

Description

Essential

03

Starting block address of block bitmap

Yes

47

Starting block address of inode bitmap

Yes

811

Starting block address of inode table

Yes

1213

Number of unallocated blocks in group

No

1415

Number of unallocated inodes in group

No

1617

Number of directories in group

No

1831

Unused

No

To view the contents of the primary group descriptor table, we extract the block following the superblock. In our image, each block is 4,096 bytes, the superblock is located inside block 0, and the group descriptor table is, therefore, in block 1. Note that when the block size is 1,024 bytes, the superblock is in block 1 and the group descriptor table starts in block 2.

We extract the table with dcat:


# dcat f linux-ext3 ext3.dd 1 | xxd

0000000: 0200 0000 0300 0000 0400 0000 d610 7b3f ..............{?

0000016: 0a00 0000 0000 0000 0000 0000 0000 0000 ................

0000032: 0280 0000 0380 0000 0480 0000 0000 8e3f ...............?

0000048: 0100 0000 0000 0000 0000 0000 0000 0000 ................

 [REMOVED]

This output shows two of the group descriptor entries. Bytes 0 to 3 show that the block bitmap is located in block 2, and bytes 4 to 7 show that the inode bitmap is located in block 3. According to bytes 8 to 11, the inode table starts in block 4. This image has 32,768 blocks per block group, which means that the block bitmap will need 4,096 bytes and, therefore, one block. There are 16,288 inodes per group, so the inode bitmap will need 2,036 bytes. The inode table will have 16,288 entries that are 128 bytes each, which totals 2,084,864 bytes. With a 4,096-byte block size, the inode table will need 509 blocks and extend from block 4 to 512.

The table entry for group 1 starts at byte 32. We see in bytes 32 to 35 that the block bitmap is in block 32,770 (0x8002). This is intuitive because we know that group 1 will start in block 32,768 and that a backup superblock and backup group descriptor table will use the first two blocks. When a block group does not have a backup superblock and group descriptor, the block bitmap is located in the first block of the group.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net