Directory entry data structures store the names of files and directories. They are located in the blocks that have been allocated to a directory. Each data structure contains the name of the file and the inode address where the metadata can be found. The directory entry data structure for UFS1 and UFS2 has the fields given in Table 17.11.
Byte Range |
Description |
Essential |
---|---|---|
03 |
Inode value |
Yes |
45 |
Directory entry length |
Yes |
66 |
Name length |
Yes |
77 |
File type (see Table 17.12) |
No |
8+ |
Name in ASCII |
Yes |
The file type flag can have one of the values from Table 17.12.
Type Value |
Description |
---|---|
0 |
Unknown type |
1 |
FIFO |
2 |
Character device |
4 |
Directory |
6 |
Block device |
8 |
Regular file |
10 |
Symbolic Link |
12 |
Socket |
14 |
Whiteout |
The flags have the same names as we saw with ExtX, except for the whiteout type. It is used when a file system has been mounted with the union option and there exist two files with the same name. The whiteout type is used as a flag for the duplicate file, and the OS will not show it to the user (like applying whiteout to a typo).
The directory entry length field is used to locate the next allocated directory entry, and the name length field is used to both determine where the name ends and determine how long the entry needs to be. Refer to the "File Name Category" section of Chapter 14 for details on how directory entries are allocated and unallocated.
Here are the contents of a UFS1 directory from our image:
# icat f openbsd openbsd.dd 1921 | xxd 0000000: 8107 0000 0c00 0401 2e00 0000 0200 0000 ................ 0000016: 0c00 0402 2e2e 0000 8c07 0000 1400 0809 ................ 0000032: 6669 6c65 312e 7478 7400 93e7 8d07 0000 file1.txt....... 0000048: 1400 0809 6669 6c65 382e 7478 7400 93e7 ....file8.txt... 0000064: 8e07 0000 2800 0809 6669 6c65 372e 7478 ....(...file7.tx 0000080: 7400 93e7 8f07 0000 1400 0809 6669 6c65 t...........file 0000096: 362e 7478 7400 93e7 9007 0000 1400 0809 6.txt........... 0000112: 6669 6c65 352e 7478 7400 93e7 9107 0000 file5.txt....... 0000128: 2800 0809 6669 6c65 342e 7478 7400 93e7 (...file4.txt... 0000144: 9207 0000 1400 0809 6669 6c65 332e 7478 ........file3.tx [REMOVED]
We dissected a directory in the ExtX Data Structures chapter, so I will show only some of the highlights of this output. The first four bytes show the inode of the '.' entry, which we can verify is inode 1921 (0x0781). Bytes 24 to 27 are the inode field of the first file entry, which is file1.txt and at inode 1,932 (0x078c). Bytes 68 to 69 are for the length field for the file7.txt file, and it is 40 bytes (0x28), but the name is only nine bytes long. The next entry, for file6.txt, has been deleted, and the length field for file7.txt file points to the entry after file6.txt.
The directory listing for this directory is as follows:
# fls -f openbsd a openbsd.dd 1921 d/d 1921: . d/d 2: .. r/r 1932: file1.txt r/r 1933: file8.txt r/r 1934: file7.txt r/- * 1935: file6.txt r/r 1936: file5.txt r/r 1937: file4.txt r/- * 1938: file3.txt r/r 1939: file2.txt r/- * 1940: file10.txt r/r 1941: file9.txt
Part I: Foundations
Digital Investigation Foundations
Computer Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Volume Analysis
PC-based Partitions
Server-based Partitions
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Concepts
NTFS Analysis
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures
Summary
Bibliography
Bibliography