Superblock

ExtX uses the superblock to store the basic file system category data. It is located 1,024 bytes from the start of the file system and has 1,024 bytes allocated to it. It has the fields given in Table 15.1.

Table 15.1. Data structure for the ExtX superblock.

Byte Range

Description

Essential

03

Number of inodes in file system

Yes

47

Number of blocks in file system

Yes

811

Number of blocks reserved to prevent file system from filling up

No

1215

Number of unallocated blocks

No

1619

Number of unallocated inodes

No

2023

Block where block group 0 starts

Yes

2427

Block size (saved as the number of places to shift 1,024 to the left)

Yes

2831

Fragment size (saved as the number of bits to shift 1,024 to the left)

Yes

3235

Number of blocks in each block group

Yes

3639

Number of fragments in each block group

Yes

4043

Number of inodes in each block group

Yes

4447

Last mount time

No

4851

Last written time

No

5253

Current mount count

No

5455

Maximum mount count

No

5657

Signature (0xef53)

No

5859

File system state (see Table 15.2)

No

6061

Error handling method (see Table 15.3)

No

6263

Minor version

No

6467

Last consistency check time

No

6871

Interval between forced consistency checks

No

7275

Creator OS (see Table 15.4)

No

7679

Major version (see Table 15.5)

Yes

8081

UID that can use reserved blocks

No

8283

GID that can use reserved blocks

No

8487

First non-reserved inode in file system

No

8889

Size of each inode structure

Yes

9091

Block group that this superblock is part of (if backup copy)

No

9295

Compatible feature flags (see Table 15.6)

No

9699

Incompatible feature flags (see Table 15.7)

Yes

100103

Read only feature flags (see Table 15.8)

No

104119

File system ID

No

120135

Volume name

No

136199

Path where last mounted on

No

200203

Algorithm usage bitmap

No

204204

Number of blocks to preallocate for files

No

205205

Number of blocks to preallocate for directories

No

206207

Unused

No

208223

Journal ID

No

224227

Journal inode

No

228231

Journal device

No

232235

Head of orphan inode list

No

2361023

Unused

No

Bytes 58 to 59 contain a flag for the state of the file system, and the flag can have the bits shown in Table 15.2 set.

Table 15.2. Flags for the file system state in the superblock.

Flag Value

Description

Essential

0x0001

File system is clean

No

0x0002

File system has errors

No

0x0004

Orphan inodes are being recovered

No

The error handling method in bytes 60 to 61 identifies what the OS should do when it encounters a file system error. These values can be configured when the file system is created. It has one of the three values given in Table 15.3.

Table 15.3. Values for the error-handling field of the superblock.

Value

Description

Essential

1

Continue

No

2

Remount file system as read only

No

3

Panic

No

The creator OS value in bytes 72 to 75 identifies the OS that might have created the file system. Many Linux tools that create the file system allow the user to specify this value. The five values given in Table 15.4 are defined.

Table 15.4. Values for the OS creator field in the superblock.

Value

Description

Essential

0

Linux

No

1

GNU Hurd

No

2

Masix

No

3

FreeBSD

No

4

Lites

No

The major version level in bytes 76 to 79 can have one of the values defined in Table 15.5.

Table 15.5. Values for the major version field in the superblock.

Value

Description

Essential

0

Original version

Yes

1

"Dynamic" version

Yes

If the major version is not set to the dynamic version, the values from bytes 84 onward might not be accurate. The dynamic in the version name refers to the fact that each inode can be a dynamic size, and the exact size is given in the superblock in bytes 88 to 89. The current Linux kernel does not support dynamic-sized inodes but uses the dynamic version so that it can use the feature set fields.

The concept of compatible, read only compatible, and incompatible features was discussed in Chapter 14, "Ext2 and Ext3 Concepts and Analysis." A field for each type exists in the superblock. It should be noted that some of the flags have been defined but are never used in the Linux code. Therefore, not all of these are in a standard Linux system. The compatible features can have the values given in Table 15.6; the incompatible features are given in Table 15.7; and the read only compatible features are given in Table 15.8.

Table 15.6. Flag values for the compatible features in the superblock.

Flag Value

Description

Essential

0x0001

Preallocate directory blocks to reduce fragmentation

No

0x0002

AFS server inodes exist

No

0x0004

File system has a journal (Ext3)

No

0x0008

Inodes have extended attributes

No

0x0010

File system can resize itself for larger partitions

No

0x0020

Directories use hash index

No

Table 15.7. Flag values for the incompatible features in the superblock.

Flag Value

Description

Essential

0x0001

Compression (not yet supported)

Yes

0x0002

Directory entries contain a file type field

Yes

0x0004

File system needs recovery

No

0x0008

File system uses a journal device

No

Table 15.8. Flag values for the read only compatible features in the superblock.

Flag Value

Description

Essential

0x0001

Sparse superblocks and group descriptor tables

No

0x0002

File system contains a large file

No

0x0004

Directories use B-Trees (not implemented)

No

Now that we have given the data structures and all the flags, let's look at an actual Ext3 superblock. We will use dd and extract out 1,024 bytes starting at offset 1,024.


# dd if=ext3.dd bs=1024 skip=1 count=1 | xxd

0000000: c053 1d00 ff9d 3a00 4cee 0200 4708 0b00 .S....:.L...G...

0000016: 6745 1d00 0000 0000 0200 0000 0200 0000 gE..............

0000032: 0080 0000 0080 0000 a03f 0000 c9fd 1141 .........?.....A

0000048: c9fd 1141 3601 2500 53ef 0100 0100 0000 ...A6.%.S.......

0000064: da9d e83e 004e ed00 0000 0000 0100 0000 ...>.N..........

0000080: 0000 0000 0b00 0000 8000 0000 0400 0000 ................

0000096: 0600 0000 0300 0000 077a 06a5 1795 486e .........z....Hn

0000112: 9485 ecc4 486f 63e4 0000 0000 0000 0000 ....Hoc.........

0000128: 0000 0000 0000 0000 0000 0000 0000 0000 ................

[REMOVED]

0000224: 0800 0000 0000 0000 0000 0000 0000 0000 ................

 [REMOVED]

0001008: 0000 0000 0000 0000 0000 0000 0000 0000 ................

Bytes 0 to 3 show us that there are 1,921,984 (0x001d53c0) inodes, and bytes 4 to 7 show that there are 3,841,535 (0x003a9dff) blocks. Bytes 20 to 23 show that block 0 is where block group 0 starts. Bytes 24 to 27 and 28 to 31 contain the number of bits to shift the number 1,024 (0x0400) in order to calculate the block and fragment sizes. Both values are 2, which means that the block and fragments are 4,096 (0x1000) bytes. Bytes 32 to 35 show that there are 32,768 (0x8000) blocks in each block group, and bytes 40 to 43 show that there are 16,288 (0x3fa0) inodes per group. With this information, we know the total size of the file system, where each block group starts, and how many inodes are allocated to each block group.

Bytes 76 to 79 show that we have the dynamic version of ExtX, so the bytes following offset 84 should be valid. We see in bytes 88 to 91 that the size of each inode is 128 (0x80) bytes. Bytes 92 to 95 have the compatible feature flags, and the flag for the journal (0x0004) is set, so we have an Ext3 file system. Bytes 96 to 99 have the incompatible feature flag value of 0x0006, which means that recovery should be done during the next boot (0x0004) and the special directory entries are being used (0x0002). Bytes 100 to 103 contain the read only compatibility features and they are set to 0x0003, which means that there are files that are larger than 32-bits (0x0002) and that not every block group has a backup copy of the superblock (0x0001). Bytes 224 to 227 show that the journal is located in inode 8.

There are many other values in the superblock that were not discussed. Their purposes will be discussed in the appropriate section, and you can extract them from the fsstat output given in the "File System Category" section of Chapter 14.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net