What is a File System?

Table of contents:

Introduction

UFS is related to the Berkeley Fast File System (FFS) and was designed to be fast and reliable. Copies of important data structures are stored throughout the file system, and data are localized so that the hard disk heads do not need to travel much when reading a file. A UFS is organized into sections, called cylinder groups, and the size of each group is based on the geometry of the hard disk. These are similar to the ExtX block groups.

UFS has a superblock data structure in the beginning of the file system that contains the basic layout information. The content of each file is saved to a block, which is a group of consecutive sectors. Blocks also can be broken up into fragments, which are used to store the final bytes of a file instead of allocating a full block. The metadata for each file and directory is stored in an inode data structure. The names of files are stored in directory entry structures, which are located in the blocks allocated to directories. Directory entry structures are basic data structures that contain the name of the file and a pointer to the file's inode entry. The relationship between these data structures can be seen in Figure 16.1. Each cylinder group contains its own inode table, bitmaps for the allocation status of fragments, and copies of the superblock.

Figure 16.1. Relationship between UFS directory entries, inodes, and data blocks that are used to store file content.

All variants of UFS have the basic concepts that I just described, and it should be obvious that they are the same concepts that we saw for ExtX. The differences among the UFS-based variants are in how each of the data structures is organized and what additional features are included. There are fewer experimental features in UFS than in ExtX that affect the on-disk data.

The UFS1 file system is the default file system of OpenBSD and Solaris. It used to be the default file system of FreeBSD and NetBSD until FreeBSD 5.0 and NetBSD 2.0 included UFS2. UFS2 adds support for larger files and disks and other advanced features. At the time of this writing, only FreeBSD and NetBSD support UFS2. Apple OS X and Linux also support UFS1, but it is not their default file system. Solaris also has a version of UFS to support large files and disks. Note that Sun has not published the data structures for its version of UFS, but tools developed using the essential data in the data structures published by FreeBSD work on a Solaris file system. The non-essential data may be different, though.

In the rest of this chapter, we will examine the five-category data model with respect to the variants of UFS. Each section will discuss the basic properties of the category and the differences in each variant. I will refer to FreeBSD, NetBSD, and OpenBSD as BSD systems.

Part I: Foundations

Digital Investigation Foundations

Computer Foundations

Hard Disk Data Acquisition

Part II: Volume Analysis

Volume Analysis

PC-based Partitions

Server-based Partitions

Multiple Disk Volumes

Part III: File System Analysis

File System Analysis

FAT Concepts and Analysis

FAT Data Structures

NTFS Concepts

NTFS Analysis

NTFS Data Structures

Ext2 and Ext3 Concepts and Analysis

Ext2 and Ext3 Data Structures

UFS1 and UFS2 Concepts and Analysis

UFS1 and UFS2 Data Structures

Summary

Bibliography

Bibliography



File System Forensic Analysis
File System Forensic Analysis
ISBN: 0321268172
EAN: 2147483647
Year: 2006
Pages: 184
Authors: Brian Carrier

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net