Ext* Content Areas Inodes, Directories & Files

Review Recall …the file system metadata The superblock describes the file system The group descriptor table describes the equally sized block groups The block bitmap tracks group block allocation

Overview Today: The data metadata and contents The inode bitmap tracks inode allocation The inode table is a block that contains the inodes –Inode 2 is the root directory Each inode contains metadata for, and points to, a file Directories are just special files that point to inode table entries File data is found in the content area blocks of the block group

Inode Contents (I) File size (32 or 64 bit) 1 st 12 content block addresses –1 single-indirect block address –1 double-indirect block pointer Group ID, user ID (not necessarily real) –chown, chgrp –User may not exist in /etc/password Last Access, modify, change, delete times

Inode Contents (II) Mode –File type File, directory, named pipe, Unix socket, block & raw devices –Permissions –Special properties (sticky, SUID, SGID) Link counter –0  unallocated inode (or orphaned file, will be unallocated when process ends) Many supported attributes –“don’t update the Access time for files” –Write-immediate –Append-only –Immutable –Don’t dump (backup) Extended attributes created by the user (custom attributes)

Inode Structure (I) BytesDescription 0-1File mode (type & permissions) 2-3UID lower 2 bytes 4-7Size lower 4 bytes 8-11Access Time 12-15Change Time 16-19Modification Time 20-23Delete Time 24-25GID lower 2 bytes 26-27Link count 28-31Sector count 32-35Flags 36-39unused

Inode Structure (II) BytesDescription direct block pointers single-indirect pointer double-indirect pointer triple-indirect pointer Generation number Extended attribute block address Size upper 4 bytes OR Directory ACL Fragment block address Fragment size unused UID upper 2 bytes GID upper 2 bytes unused

Large Files – Indirect Pointers With only 12 block addresses, file size is limited (in the basic case) Single-indirection supports larger files by pointing to a block of addresses Addresses are 4 bytes, thus each block stores blocksize / 4 address pointers Double-indirection supports huge files by pointing to a block of single-indirection addresses Triple-indirection points to a block of double-indirection pointers This scheme provides efficiency for smaller files, but the ability to grow as large as space allows

Inode Usage Inodes 1 – 10 are reserved –Inode 2 – root directory –Inode 8 – lost+found –Allocated blocks without an inode are “lost files” –These are pointed to by the lost+found inode Inode 11 and after – content (files, directories, devices, links, mount points, etc.)

Typical Inode/File Relationship If the inode represents a Directory –The inode points to a directory block Each directory entry points back to an inode If the inode represents a File –The 12 inode block addresses point to the 1 st 12 blocks of the file –The single-indirect address points to a block of addresses that are the next m blocks of the file –Double-indirect address points to a block of single- indirect addresses that ultimately point to the next n blocks of the file –Triple-indirect address points to a block of double- indirect addresses

Indirection Triple-indirect … Single-Indirect Double-Indirect Blocks 4-9 Pointers to content blocks One Inode (shows pointers only) Blocks in the Group Single-Indirect Block

Directory Entries A directory is just a special type file –inode.file mode (type) = directory –Creating a directory allocates blocks of directory entries Each block stores dynamically sized directory entries (the directory “table”), each describing a file or directory Size of each entry is variable –Variable filename length –8 bytes of static information –Entry size is rounded-up to a multiple of 4 Four entry attributes –Name length (1 byte) –Filename (1-255 chars) –Inode address of the file content –Pointer to next directory entry Unused entries are “jumped over”

Directory Example The first two entries are always. and.. Directory table for new directory NameName lengthRecord length Add a file NameName lengthRecord length File1.dat84072 Last entry always has the remaining length in the directory block

Directory Entries Each entry points to the next active entry Old.txt has been deleted  the entry for F1.txt now points to F2.txt F2.txt points to the end of the directory block  F2.txt is the last file in the directory. inode 75.. inode 26 F1.txt inode 95 Old.txt inode 35 F2.txt Inode 29

Links Links are special types of directory entries –They point to files that already have directory entries Hard Link –another name for the file, in same file system The directory entries for. and.. are hard links –OS creates a new directory entry pointing to the original inode Increments the inode link count Soft link –another name, points to another file system –OS creates a file of the type “symbolic link” Each “file’s” inode link count = 1 (or unchanged)

Mount Points Mount points are special types of directory entries that virtually replace the contents of a directory by redirecting the directory to another file system –FS1 has /dir1/ –FS2 mounts /dir1/ –User cd’s to /dir1 and sees the contents of FS2 Implication for CF investigations: know where file systems are mounted, or you’ll miss the real contents of /dir1/

Inode Time Changes Access (A-time) –File: read contents, copy, move to new volume (no change on same volume) –Dir: list contents, open file or subdirectory Modify (M-time) –File: copy (destination only), change contents When moving to network file system, might change (  new file) –Dir: file create/delete Change (C-time) inode metadata –Dir: content change, permissions/ownership change –File: same as Dir, plus when moved Delete (D-time) –Initially 0 –If D-time == C-time == M-time  likely a deleted file

Analysis Considerations Sparse blocks exist when the file allocated space, but never used it A-Time & M-time are easily set to any value using touch RAM slack space is typically 0’d –  the only valuable slack is in unallocated blocks De-allocated inodes are purged of size & allocation information –  must analyze the unallocated blocks directly using what is known of allocation algorithms and the file system structures