The UFS2 inode is 128 bytes larger than its UFS1 counterpart, and it has many 64-bit fields instead of 32-bit fields. It, too, is located in an inode table, which has its offset location given in the superblock. The UFS2 inode table does not stagger, however, like a UFS1 does. The UFS2 inode has the fields given in Table 17.8.
Byte Range |
Description |
Essential |
---|---|---|
01 |
File mode (type and permissions) (see "Inodes" section in Chapter 15) |
Yes |
23 |
Link count |
Yes |
47 |
User ID |
No |
811 |
Group ID |
No |
1215 |
Inode block size |
No |
1623 |
Size |
Yes |
2431 |
Bytes held |
No |
3239 |
Access time |
No |
4047 |
Modified time |
No |
4855 |
Change time |
No |
5663 |
Create time |
No |
6467 |
Modified time (nanoseconds) |
No |
6871 |
Access time (nanoseconds) |
No |
7275 |
Change time (nanoseconds) |
No |
7679 |
Create time (nanoseconds) |
No |
8083 |
Generation number (NFS) |
No |
8487 |
Kernel flags |
No |
8891 |
Status flags |
No |
9295 |
Extended attributes size |
No |
96111 |
2 Direct extended attribute block pointers |
No |
112207 |
12 Direct block pointers |
Yes |
208215 |
1 Indirect block pointer |
Yes |
216223 |
1 Double indirect block pointer |
Yes |
224231 |
1 Triple indirect block pointer |
Yes |
232255 |
Unused |
No |
The most noticeable difference between the UFS1 and UFS2 versions is the block pointers are 64 bits, and the time values are 64 bits. The address values in the indirect blocks are also 64 bits.
We saw in our UFS2 image that the inode table starts in fragment 56. We view inode 5 as follows:
% dcat -f freebsd freebsd.dd 56 8 | dd bs=256 skip=5 count=1 | xxd 0000000: a481 0100 0000 0000 0000 0000 0000 0000 ................ 0000016: 0000 2000 0000 0000 2010 0000 0000 0000 .. ..... ....... 0000032: b5b3 0f41 0000 0000 b6b3 0f41 0000 0000 ...A.......A.... 0000048: b6b3 0f41 0000 0000 b5b3 0f41 0000 0000 ...A.......A.... 0000064: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000080: 11fe 8458 0000 0000 0000 0000 0000 0000 ...X............ 0000096: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000112: e800 0000 0000 0000 f000 0000 0000 0000 ................ 0000128: f800 0000 0000 0000 0001 0000 0000 0000 ................ 0000144: 0801 0000 0000 0000 1001 0000 0000 0000 ................ 0000160: 1801 0000 0000 0000 2001 0000 0000 0000 ........ ....... 0000176: 5801 0000 0000 0000 6001 0000 0000 0000 X.......`....... 0000192: 6801 0000 0000 0000 7001 0000 0000 0000 h.......p....... 0000208: 4801 0000 0000 0000 0000 0000 0000 0000 H............... 0000224: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000230: 0000 0000 0000 0000 0000 0000 0000 0000 ................
In bytes 0 to 1 we see the mode, and the 8 shows that it is a regular file. Bytes 16 to 23 show that the file size is 2,097,152 bytes (0x00200000). The 8-byte A-time is given in bytes 32 to 39, and it translates to Tue Aug 3 15:48:05 2004 UTC.
Bytes 112 to 119 are the first direct block pointer, and we see that it is for block 232 (0xe8). The second block pointer is for block 240 (0xf0), and the block size of this image is 8 fragments per block. Bytes 208 to 215 are for the first indirect block pointer, and we see that it has allocated block 328 (0x0148) for this purpose.
The istat output for this inode is as follows:
# istat -f freebsd -z UTC freebsd.dd 5 inode: 5 Allocated Group: 0 uid / gid: 0 / 0 mode: -rw-r--r-- size: 2097152 num of links: 1 Inode Times: Accessed: Tue Aug 3 15:48:05 2004 File Modified: Tue Aug 3 15:48:06 2004 Inode Modified: Tue Aug 3 15:48:06 2004 Direct Blocks: 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 [REMOVED] 1296 1297 1298 1299 1300 1301 1302 1303 Indirect Blocks: 328 329 330 331 332 333 334 335
Part I: Foundations
Digital Investigation Foundations
Computer Foundations
Hard Disk Data Acquisition
Part II: Volume Analysis
Volume Analysis
PC-based Partitions
Server-based Partitions
Multiple Disk Volumes
Part III: File System Analysis
File System Analysis
FAT Concepts and Analysis
FAT Data Structures
NTFS Concepts
NTFS Analysis
NTFS Data Structures
Ext2 and Ext3 Concepts and Analysis
Ext2 and Ext3 Data Structures
UFS1 and UFS2 Concepts and Analysis
UFS1 and UFS2 Data Structures
Summary
Bibliography
Bibliography