Inodes

The inode data structure is used to store the metadata for a file or directory. Inodes are located in inode tables, which are located in each of the block groups. The starting location of the inode table is defined in the group descriptor, and the number of inodes per group is defined in the superblock.

The basic inode data structure is 128 bytes in size. If the file system is a "dynamic" version, as defined in the superblock, the inode can be a dynamic size, which is given in the superblock. Larger inodes are not supported in the current Linux kernel, but the first 128 bytes will have the same fields as the standard inode [Ts'o and Tweedie 2002]. The basic inode has the fields given in Table 15.10.

Table 15.10. Data structure for an inode.

Byte Range

Description

Essential

01

File mode (type and permissions) (see Tables 15.11, 15.12, and 15.13)

Yes

23

Lower 16 bits of user ID

No

47

Lower 32 bits of size in bytes

Yes

811

Access Time

No

1215

Change Time

No

1619

Modification time

No

2023

Deletion time

No

2425

Lower 16 bits of group ID

No

2627

Link count

No

2831

Sector count

No

3235

Flags (see Table 15.14)

No

3639

Unused

No

4087

12 direct block pointers

Yes

8891

1 single indirect block pointer

Yes

9295

1 double indirect block pointer

Yes

9699

1 triple indirect block pointer

Yes

100103

Generation number (NFS)

No

104107

Extended attribute block (File ACL)

No

108111

Upper 32 bits of size / Directory ACL Yes /

No

112115

Block address of fragment

No

116116

Fragment index in block

No

117117

Fragment size

No

118119

Unused

No

120121

Upper 16 bits of user ID

No

122123

Upper 16 bits of group ID

No

124127

Unused

No

As was mentioned in the overview, the size was originally only 32 bits, but it was made into a 64-bit value by using the directory ACL value at bytes 108 to 111. There should be a read only compatible feature set in the superblock if any file uses a 64-bit size.

The 16-bit file mode value is broken up into three sections. In the lower 9 bits are the permissions flags, and each bit corresponds to a permission. The permissions use the notion of user, group, and world where user is the user ID in the inode, group is the group ID in the inode, and world is all other users. Each of these collections of users can have read, write, or execute permissions. The flags for each of these permissions are given in Table 15.11.

Table 15.11. Permission flags for bits 0 to 8 of the file mode field.

Permission Flag

Description

0x001

Otherexecute permission

0x002

Otherwrite permission

0x004

Otherread permission

0x008

Groupexecute permission

0x010

Groupwrite permission

0x020

Groupread permission

0x040

Userexecute permission

0x080

Userwrite permission

0x100

Userread permission

The next three bits are for executable files and directories. If any of these are set, an executable will behave differently when it is run, or files in a directory will have special properties. These flags are given in Table 15.12.

Table 15.12. Flags for bits 9 to 11 of the file mode field.

Flag Value

Description

0x200

Sticky bit

0x400

Set group ID

0x800

Set user ID

Refer to the "Metadata Category" section in Chapter 14 for a description of these flags. Lastly, bits 12 to 15 identify the type of the file that the inode is for. These are values and not flags, so only one should be set. They are given in Table 15.13.

Table 15.13. Type flags for bits 12 to 15 of the file mode field.

Type Value

Description

0x1000

FIFO

0x2000

Character device

0x4000

Directory

0x6000

Block device

0x8000

Regular file

0xA000

Symbolic link

0xC000

Unix socket

The four time values are each stored as the number of seconds since January 1, 1970 UTC, which will stop working in January 2038 because the value is only 32 bits. The flags field identifies the attributes that are set for the file. Recall from the previous section that not every OS supports some of these flag values. The values included in Table 15.14 are either discussed in the manual pages or are used in the current kernel source code.

Table 15.14. Flag values for the inode flag field.

Flag Value

Description

0x00000001

Secure deletion (not used)

0x00000002

Keep a copy of data when deleted (not used)

0x00000004

File compression (not used)

0x00000008

Synchronous updatesnew data is written immediately to disk

0x00000010

Immutable filecontent cannot be changed

0x00000020

Append only

0x00000040

File is not included in 'dump' command

0x00000080

A-time is not updated

0x00001000

Hash indexed directory

0x00002000

File data is journaled with Ext3

Let's look at inode entry 16 from the previous image. The first step is to identify the group of which it is a part. We know that each group has 16,288 inodes per group, which means that we need group 0. The starting address of the inode table is given in the group descriptor, and we previously saw that it starts in block 4, and each block is 4,096 bytes. To extract the data, we will use dd with a block size of 4096 to skip ahead to the inode table and then use dd with a block size of 128 to skip ahead to inode 16. The first inode is number 1, so we need to subtract 1 from our skip value.


# dd if=ext3.dd bs=4096 skip=4 | dd bs=128 skip=15 count=1 | xxd

0000000: a481 f401 0040 9c00 6d09 2a3f f607 2a3f .....@..m.*?..*?

0000016: 8107 2a3f 0000 0000 f401 0100 404e 0000 ..*?........@N..

0000032: 0000 0000 0000 0000 2c38 0000 2d38 0000 ........,8..-8..

0000048: 2e38 0000 2f38 0000 3038 0000 3138 0000 .8../8..08..18..

0000064: 3238 0000 3338 0000 3438 0000 3538 0000 28..38..48..58..

0000080: 3638 0000 3738 0000 3838 0000 393c 0000 68..78..88..9<..

0000096: 0000 0000 ba94 ea0b 0000 0000 0000 0000 ................

0000112: 0000 0000 0000 0000 0000 0000 0000 0000 ................

Bytes 0 to 1 show the mode, which is 0x81a4. These bits show us that everyone can read this file (0x004), the group can read (0x020), the user can write (0x080), and the user can read (0x100). The upper four bits show that it is a regular file (0x8000). Bytes 4 to 7 show that the size of the file is 10,240,000 bytes (0x009c4000). Bytes 8 to 11 show the A-time as 0x3f2a096d, which translates to August 1, 2003 at 06:32:13 UTC. Bytes 26 to 27 show the link count is 1, which means that there is a file name pointing to it. Bytes 32 to 35 show that there are no special flags or attributes set.

Bytes 40 to 43 are for the first direct block pointer, and they are for block 14,380 (0x0000382c). Bytes 44 to 47 are for the second direct pointer, and they are for block 14,381 (0x0000382d). Bytes 88 to 91 contain the address of a single indirect block pointer, which is in block 14,392 (0x00003838). Bytes 92 to 95 also show a double indirect block pointer in block 15,417 (0x00003c39). The contents of both of these blocks will be a list of 4-byte addresses. The single indirect block pointer contains a list of addresses where file content is stored:


# dcat f linux-ext3 ext3.dd 14392 | xxd

0000000: 3938 0000 3a38 0000 3b38 0000 3c38 0000 98..:8..;8..<8..

0000016: 3d38 0000 3e38 0000 3f38 0000 4038 0000 =8..>8..?8..@8..

0000032: 4138 0000 4238 0000 4338 0000 4438 0000 A8..B8..C8..D8..

[REMOVED]

The allocation status of an inode is stored in the inode bitmap, which is located in the same group as the inode. The group descriptor contains the block address of the inode bitmap, and our example image has its bitmap in block 3, whose contents are shown here:


# dcat f linux-ext3 ext3.dd 3 | xxd

0000000: fff7 fcff 1f00 0000 00c8 0000 0000 0000 ................

To determine the correct byte, we subtract 1 to account for the first inode of the group and divide by 8.


(16  1) / 8 = 1 remainder 7

The bit for inode 16 is the most significant bit in byte 1 (0xf7), which is a 1, so it is allocated.

We can get all the inode details from the istat command, and they are listed here for the inode that we just examined:


# istat f linux-ext3 ext3.dd 16

inode: 16

Allocated

Group: 0

Generation Id: 199922874

uid / gid: 500 / 500

mode: -rw-r--r--

size: 10240000

num of links: 1

Inode Times:

Accessed: Fri Aug 1 06:32:13 2003

File Modified: Fri Aug 1 06:24:01 2003

Inode Modified: Fri Aug 1 06:25:58 2003

Direct Blocks:

14380 14381 14382 14383 14384 14385 14386 14387

14388 14389 14390 14391 14393 14394 14395 14396

[REMOVED]

16880 16881 16882 16883

Indirect Blocks:

14392 15417 15418 16443


Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net