Group descriptor data structures contain the configuration information for a specific cylinder group. One data structure is located in each cylinder group. Its offset from the base is given in the superblock, and UFS1 and UFS2 use different data structures. This section will describe the data structure that is used in UFS1.
The location of the UFS1 group descriptor staggers in each cylinder group, although its distance from a base value is always the same. The methods for calculating the base were discussed in the previous chapter and in the previous superblock section. The descriptor is typically allocated a full block, even if it does not need it. Many of the values are non-essential and are used to more efficiently allocate resources.
The fields for the UFS1 group descriptor are given in Table 17.5.
Byte Range |
Description |
Essential |
---|---|---|
03 |
Unused |
No |
47 |
Magic signature (0x090255) |
No |
811 |
Last written time |
No |
1215 |
Group number |
No |
1617 |
Number of cylinders in group |
No |
1819 |
Number of inodes in group |
No |
2023 |
Number of fragments in group |
No |
2427 |
Number of directories |
No |
2831 |
Number of free blocks |
No |
3235 |
Number of free inodes |
No |
3639 |
Number of free fragments (partial blocks) |
No |
4043 |
Last block allocated |
No |
4447 |
Last fragment allocated |
No |
4851 |
Last inode allocated |
No |
5283 |
Summary of available fragments |
No |
8487 |
Number of free blocks in each cylinder (byte offset) |
No |
8891 |
Free block positions table (byte offset) |
No |
9295 |
Inode bitmap (byte offset) |
Yes |
9699 |
Fragment bitmap (byte offset) |
Yes |
100103 |
Next available space in descriptor (byte offset) |
No |
104107 |
Counts of available clusters (consecutive blocks) (byte offset) |
No |
108111 |
Block bitmap (byte offset) |
No |
112115 |
Number of blocks in group |
No |
116167 |
Unused |
No |
168+ |
Bitmaps, and so on |
Yes |
Starting at byte 168 are bytes that can be used for a variety of purposes, including bitmaps and tables. The group descriptor gives the byte offset for the various bitmaps relative to the start of the group descriptor block. There are several other tables and bitmaps in the space following these fields, but most are non-essential. They exist for efficiency when allocating new blocks. For example, the block bitmap, also called the cluster bitmap, is a reduced version of the fragment bitmap, and a bit corresponds to a block, and it is set to 1 if all the corresponding fragments for the block have a 1 in the fragment bitmap.
To examine the group descriptor for the first group of our OpenBSD UFS1 system, we need to determine where it is located. It is the first group, so its base offset is fragment 0. We saw in the superblock that the group descriptor is 24 fragments from the base, so we examine fragment 24 using dcat:
# dcat f openbsd openbsd.dd 24 0000000: 0000 0000 5502 0900 c99d 0f41 0000 0000 ....U......A.... 0000016: 1000 8007 801f 0000 0200 0000 2f03 0000 ............/... 0000032: 7807 0000 0b00 0000 8801 0000 1001 0000 x............... 0000048: 0700 0000 0000 0000 0000 0000 0000 0000 ................ 0000064: 0000 0000 0100 0000 0000 0000 0000 0000 ................ 0000080: 0100 0000 a800 0000 e800 0000 0801 0000 ................ 0000096: f801 0000 8206 0000 e405 0000 0406 0000 ................ 0000112: f003 0000 0000 0000 0000 0000 0000 0000 ................ [REMOVED]
We see the magic value in bytes 4 to 7, and byte 24 starts the information about the number of available inodes and blocks, which we previously saw in the cylinder group summary area. There is also allocation information, and bytes 40 to 43 show that the last block allocated was block 392 (0x0188) and bytes 44 to 47 show that the last fragment (partial block) allocated was 272 (0x0110). The last allocated inode entry is listed in bytes 48 to 51, and it is for inode 7.
The byte offset for the inode bitmap is located in bytes 92 to 95, and we see that it is located 264 bytes (0x0108) bytes from the start of the group descriptor. The location of the fragment bitmap is given in bytes 96 to 99, and we see that it is located 504 bytes (0x01f8) from the start of the group descriptor. The block bitmap is given in bytes 108 to 111, and it is located 1,540 bytes (0x0604) from the start of the descriptor.
Part I: Foundations
Digital Investigation Foundations
Computer Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Volume Analysis
PC-based Partitions
Server-based Partitions
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Concepts
NTFS Analysis
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures
Summary
Bibliography
Bibliography