ExtX uses the superblock to store the basic file system category data. It is located 1,024 bytes from the start of the file system and has 1,024 bytes allocated to it. It has the fields given in Table 15.1.
Byte Range |
Description |
Essential |
---|---|---|
03 |
Number of inodes in file system |
Yes |
47 |
Number of blocks in file system |
Yes |
811 |
Number of blocks reserved to prevent file system from filling up |
No |
1215 |
Number of unallocated blocks |
No |
1619 |
Number of unallocated inodes |
No |
2023 |
Block where block group 0 starts |
Yes |
2427 |
Block size (saved as the number of places to shift 1,024 to the left) |
Yes |
2831 |
Fragment size (saved as the number of bits to shift 1,024 to the left) |
Yes |
3235 |
Number of blocks in each block group |
Yes |
3639 |
Number of fragments in each block group |
Yes |
4043 |
Number of inodes in each block group |
Yes |
4447 |
Last mount time |
No |
4851 |
Last written time |
No |
5253 |
Current mount count |
No |
5455 |
Maximum mount count |
No |
5657 |
Signature (0xef53) |
No |
5859 |
File system state (see Table 15.2) |
No |
6061 |
Error handling method (see Table 15.3) |
No |
6263 |
Minor version |
No |
6467 |
Last consistency check time |
No |
6871 |
Interval between forced consistency checks |
No |
7275 |
Creator OS (see Table 15.4) |
No |
7679 |
Major version (see Table 15.5) |
Yes |
8081 |
UID that can use reserved blocks |
No |
8283 |
GID that can use reserved blocks |
No |
8487 |
First non-reserved inode in file system |
No |
8889 |
Size of each inode structure |
Yes |
9091 |
Block group that this superblock is part of (if backup copy) |
No |
9295 |
Compatible feature flags (see Table 15.6) |
No |
9699 |
Incompatible feature flags (see Table 15.7) |
Yes |
100103 |
Read only feature flags (see Table 15.8) |
No |
104119 |
File system ID |
No |
120135 |
Volume name |
No |
136199 |
Path where last mounted on |
No |
200203 |
Algorithm usage bitmap |
No |
204204 |
Number of blocks to preallocate for files |
No |
205205 |
Number of blocks to preallocate for directories |
No |
206207 |
Unused |
No |
208223 |
Journal ID |
No |
224227 |
Journal inode |
No |
228231 |
Journal device |
No |
232235 |
Head of orphan inode list |
No |
2361023 |
Unused |
No |
Bytes 58 to 59 contain a flag for the state of the file system, and the flag can have the bits shown in Table 15.2 set.
Flag Value |
Description |
Essential |
---|---|---|
0x0001 |
File system is clean |
No |
0x0002 |
File system has errors |
No |
0x0004 |
Orphan inodes are being recovered |
No |
The error handling method in bytes 60 to 61 identifies what the OS should do when it encounters a file system error. These values can be configured when the file system is created. It has one of the three values given in Table 15.3.
Value |
Description |
Essential |
---|---|---|
1 |
Continue |
No |
2 |
Remount file system as read only |
No |
3 |
Panic |
No |
The creator OS value in bytes 72 to 75 identifies the OS that might have created the file system. Many Linux tools that create the file system allow the user to specify this value. The five values given in Table 15.4 are defined.
Value |
Description |
Essential |
---|---|---|
0 |
Linux |
No |
1 |
GNU Hurd |
No |
2 |
Masix |
No |
3 |
FreeBSD |
No |
4 |
Lites |
No |
The major version level in bytes 76 to 79 can have one of the values defined in Table 15.5.
Value |
Description |
Essential |
---|---|---|
0 |
Original version |
Yes |
1 |
"Dynamic" version |
Yes |
If the major version is not set to the dynamic version, the values from bytes 84 onward might not be accurate. The dynamic in the version name refers to the fact that each inode can be a dynamic size, and the exact size is given in the superblock in bytes 88 to 89. The current Linux kernel does not support dynamic-sized inodes but uses the dynamic version so that it can use the feature set fields.
The concept of compatible, read only compatible, and incompatible features was discussed in Chapter 14, "Ext2 and Ext3 Concepts and Analysis." A field for each type exists in the superblock. It should be noted that some of the flags have been defined but are never used in the Linux code. Therefore, not all of these are in a standard Linux system. The compatible features can have the values given in Table 15.6; the incompatible features are given in Table 15.7; and the read only compatible features are given in Table 15.8.
Flag Value |
Description |
Essential |
---|---|---|
0x0001 |
Preallocate directory blocks to reduce fragmentation |
No |
0x0002 |
AFS server inodes exist |
No |
0x0004 |
File system has a journal (Ext3) |
No |
0x0008 |
Inodes have extended attributes |
No |
0x0010 |
File system can resize itself for larger partitions |
No |
0x0020 |
Directories use hash index |
No |
Flag Value |
Description |
Essential |
---|---|---|
0x0001 |
Compression (not yet supported) |
Yes |
0x0002 |
Directory entries contain a file type field |
Yes |
0x0004 |
File system needs recovery |
No |
0x0008 |
File system uses a journal device |
No |
Flag Value |
Description |
Essential |
---|---|---|
0x0001 |
Sparse superblocks and group descriptor tables |
No |
0x0002 |
File system contains a large file |
No |
0x0004 |
Directories use B-Trees (not implemented) |
No |
Now that we have given the data structures and all the flags, let's look at an actual Ext3 superblock. We will use dd and extract out 1,024 bytes starting at offset 1,024.
# dd if=ext3.dd bs=1024 skip=1 count=1 | xxd 0000000: c053 1d00 ff9d 3a00 4cee 0200 4708 0b00 .S....:.L...G... 0000016: 6745 1d00 0000 0000 0200 0000 0200 0000 gE.............. 0000032: 0080 0000 0080 0000 a03f 0000 c9fd 1141 .........?.....A 0000048: c9fd 1141 3601 2500 53ef 0100 0100 0000 ...A6.%.S....... 0000064: da9d e83e 004e ed00 0000 0000 0100 0000 ...>.N.......... 0000080: 0000 0000 0b00 0000 8000 0000 0400 0000 ................ 0000096: 0600 0000 0300 0000 077a 06a5 1795 486e .........z....Hn 0000112: 9485 ecc4 486f 63e4 0000 0000 0000 0000 ....Hoc......... 0000128: 0000 0000 0000 0000 0000 0000 0000 0000 ................ [REMOVED] 0000224: 0800 0000 0000 0000 0000 0000 0000 0000 ................ [REMOVED] 0001008: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Bytes 0 to 3 show us that there are 1,921,984 (0x001d53c0) inodes, and bytes 4 to 7 show that there are 3,841,535 (0x003a9dff) blocks. Bytes 20 to 23 show that block 0 is where block group 0 starts. Bytes 24 to 27 and 28 to 31 contain the number of bits to shift the number 1,024 (0x0400) in order to calculate the block and fragment sizes. Both values are 2, which means that the block and fragments are 4,096 (0x1000) bytes. Bytes 32 to 35 show that there are 32,768 (0x8000) blocks in each block group, and bytes 40 to 43 show that there are 16,288 (0x3fa0) inodes per group. With this information, we know the total size of the file system, where each block group starts, and how many inodes are allocated to each block group.
Bytes 76 to 79 show that we have the dynamic version of ExtX, so the bytes following offset 84 should be valid. We see in bytes 88 to 91 that the size of each inode is 128 (0x80) bytes. Bytes 92 to 95 have the compatible feature flags, and the flag for the journal (0x0004) is set, so we have an Ext3 file system. Bytes 96 to 99 have the incompatible feature flag value of 0x0006, which means that recovery should be done during the next boot (0x0004) and the special directory entries are being used (0x0002). Bytes 100 to 103 contain the read only compatibility features and they are set to 0x0003, which means that there are files that are larger than 32-bits (0x0002) and that not every block group has a backup copy of the superblock (0x0001). Bytes 224 to 227 show that the journal is located in inode 8.
There are many other values in the superblock that were not discussed. Their purposes will be discussed in the appropriate section, and you can extract them from the fsstat output given in the "File System Category" section of Chapter 14.
Part I: Foundations
Digital Investigation Foundations
Computer Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Volume Analysis
PC-based Partitions
Server-based Partitions
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Concepts
NTFS Analysis
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures
Summary
Bibliography
Bibliography