UFS2 Superblock | UFS1 and UFS2 Data Structures

The UFS 2 superblock stores the same basic information as the UFS1 version, but it has removed many of the unused fields and is a little simpler. It has many of the same fields but has replaced the essential fields that were only 32 bits with 64 bit versions. It is typically located in sector 128, and the version that is used by FreeBSD and NetBSD has the fields shown in Table 17.3.

Table 17.3. Data structure for the UFS2 superblock.
Byte Range	Description	Essential
07	Unused	No
811	Offset to backup superblock in cylinder group relative to a "base"	Yes
1215	Offset to group descriptor in cylinder group relative to a "base"	Yes
1619	Offset to inode table in cylinder group relative to a "base"	Yes
2023	Offset to first data block in cylinder group relative to a "base"	No
2443	Unused	No
4447	Number of cylinder groups in file system	Yes
4851	Size of a block in bytes	Yes
5255	Size of a fragment in bytes	Yes
5659	Size of a block in fragments	No
6063	Minimum % of free blocks	No
6471	Unused	No
7275	Mask used to calculate the address for a block	No
7679	Mask used to calculate the address for a fragment	No
8083	Shift used to calculate the byte address for a block	No
8487	Shift used to calculate the byte address for a fragment	No
8891	Maximum number of contiguous blocks to allocate	No
9295	Maximum number of blocks per cylinder group	No
9699	Number of bits to convert between a block address and a fragment address	No
100103	Number of bits to convert between a fragment address and a sector address	No
104107	Size of superblock	No
108115	Unused	No
116119	Number of indirect addresses per fragment	No
120123	Number of inodes per block in inode table	No
124127	Unused	No
128131	Optimization technique	No
132143	Unused	No
144151	File System Id	No
152155	Unused	No
156159	Size of cylinder group summary area in bytes	No
160163	Size of cylinder group descriptor in bytes	No
164183	Unused	No
184187	Inodes per cylinder group	Yes
188191	Fragments per cylinder group	Yes
192207	Unused	No
208208	Super block modified flag	No
209209	FS was clean when it was mounted	No
210210	Mounted read only flag (set to 1 if read only)	No
211211	Unused	No
212679	Last mount point	No
680711	Volume name	No
712719	System UID	No
720723	Unused	No
724727	Last cylinder group searched	No
728999	Unused	No
10001007	Location of superblock	No
10081015	Number of directories	No
10161023	Number of free blocks	No
10241031	Number of free inodes	No
10321039	Number of free fragments	No
10401047	Number of free clusters	No
10481071	Unused	No
10721079	Last written time	No
10801087	Number of fragments in file system	Yes
10881095	Number of fragments that can store file data	No
10961103	Fragment address of cylinder group summary area	No
11041111	Blocks in process of being freed	No
11121115	Inodes in process of being freed	No
11161195	Array inode addresses for snap inodes	No
11961199	Expected average file size	No
12001203	Expected number of files per directory	No
12041311	Unused	No
13121315	Flags (see Table 17.2)	No
1316 1319	Size of cluster summary array in group descriptors	No
13201323	Maximum length of internal symbolic link	Yes
13241327	Format of inodes	Yes
13281335	Maximum file size	No
13361343	Mask used to calculate the offset in a block for an address	No
13441351	Mask used to calculate the offset in a fragment for an address	No
13521355	File system state	No
13561371	Unused	No
13721375	Signature value (0x19540119)	Yes

You might notice that fields have moved around. The only changes that could be of interest are that the mount point is shorter and there is now a volume label field. The flags field is four bytes instead of only one, but the same flag values given in Table 17.2 are used. Also note that the magic value is different, which is how we can differentiate between UFS1 and UFS2.

Here are the contents of a UFS2 file system from a FreeBSD 5 system:


# dd if=freebsd5.dd skip=128 count=4 | xxd

0000000: 0000 0000 0000 0000 2800 0000 3000 0000 ........(...0...

0000016: 3800 0000 d800 0000 0000 0000 0000 0000 8...............

0000032: 0000 0000 0000 0000 0000 0000 0400 0000 ................

0000048: 0040 0000 0008 0000 0800 0000 0800 0000 .@..............

0000064: 0000 0000 0000 0000 00c0 ffff 00f8 ffff ................

0000080: 0e00 0000 0b00 0000 0800 0000 0008 0000 ................

0000096: 0300 0000 0200 0000 0008 0000 0000 0000 ................

0000112: 0000 0000 0008 0000 4000 0000 0000 0000 ........@.......

0000128: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000144: adb2 0f41 fd01 4a17 0000 0000 0008 0000 ...A..J.........

0000160: 0008 0000 0000 0000 0000 0000 0000 0000 ................

0000176: 0000 0000 0000 0000 0005 0000 b813 0000 ................

0000192: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0000208: 0000 0080 2f6d 6e74 0000 0000 0000 0000 ..../mnt........

[REMOVED]

0000672: 0000 0000 0000 0000 5546 5332 0000 0000 ........UFS2....

[REMOVED]

0000832: 0000 0000 0000 0000 1038 66c3 0030 66c3 .........8f..0f.

0000848: 0038 66c3 0000 0000 0000 0000 0040 0000 .8f..........@..

[REMOVED]

0000992: 0000 0000 0000 0000 0000 0100 0000 0000 ................

0001008: 0400 0000 0000 0000 f308 0000 0000 0000 ................

0001024: e213 0000 0000 0000 1800 0000 0000 0000 ................

[REMOVED]

0001072: bdb4 0f41 0000 0000 c04e 0000 0000 0000 ...A.....N......

0001088: d74b 0000 0000 0000 d800 0000 0000 0000 .K..............

[REMOVED]

0001184: 0000 0000 0000 0000 0000 0000 0040 0000 .............@..

0001200: 4000 0000 0000 0000 0000 0000 0000 0000 @...............

[REMOVED]

0001312: 0000 0000 0800 0000 7800 0000 0000 0000 ........x.......

0001328: ffff 0202 1080 0000 ff3f 0000 0000 0000 .........?......

0001344: ff07 0000 0000 0000 0000 0000 0000 0000 ................

0001360: 0000 0000 0000 0000 0000 0000 1901 5419 ..............T.

We see in bytes 8 to 11, 12 to 15, and 16 to 19 that the superblock is located 40 fragments (0x28) from the start of each cylinder group, the group descriptor is 48 fragments (0x30) from the start, and the inode table is 56 fragments (0x38) from the start. Bytes 44 to 47 show that there are four cylinder groups.

The size of a block is given in bytes 48 to 51, and we see that it is 16,384 bytes (0x4000), and the size of each fragment is in bytes 52 to 55, which is 2,048 bytes (0x0800). Bytes 184 to 187 show that there are 1,280 (0x0500) inodes per cylinder group, and bytes 188 to 191 show that there are 5,048 (0x13b8) fragments per group. The total number of fragments is given in bytes 1080 to 1087, and this small file system has only 20,160.

Here is the relevant output from running fsstat on the UFS2 image:


# fsstat f freebsd freebsd5.dd

FILE SYSTEM INFORMATION

--------------------------------------------

File System Type: UFS 2

Last Written: Tue Aug 3 10:52:29 2004

Last Mount Point: /mnt

Volume Name: UFS2

System UID: 0



METADATA INFORMATION

--------------------------------------------

Inode Range: 0 - 5119

Root Directory: 2

Num of Avail Inodes: 5090

Num of Directories: 4



CONTENT INFORMATION

--------------------------------------------

Fragment Range: 0 - 20159

Block Size: 16384

Fragment Size: 2048

Num of Avail Full Blocks: 2291

Num of Avail Fragments: 24

[REMOVED]

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Summary

Bibliography

Bibliography

Bibliography

Bibliography