-
7/27/2019 extx
1/45
Ext2 and Ext3
FilesystemsIntro to the data structures, and points of interest
forforensic examiners
Wesley [email protected]
-
7/27/2019 extx
2/45
Primary source for this material
One of the most interestingand well-written textbooksyouve ever
purchased
Reading it will turn you into aninja
-
7/27/2019 extx
3/45
Caveats
There are two chapters of material
14 - Concepts
15 - Specifics of data structures Much more detail in the
book
Ext2/3 are open source Moving target :)
-
7/27/2019 extx
4/45
-
7/27/2019 extx
5/45
Operating system needs to use this space for storing:
Directories, Files, Information about Block &
CharacterDevices
-
7/27/2019 extx
6/45
What is ExtX?
A set of data structures for storinginformation and describing
its location andmetadata
Algorithms for deciding how to allocate
and deallocate space
-
7/27/2019 extx
7/45
ExtX Data Structures- Block : Group of consecutive sectors,
Divides the filesystem up intodata units.
Blocks may contain file data, or file systemdata structures
described in future slides
Size defined at filesystem creation time:1024 bytes2048
bytes4096 bytes
-
7/27/2019 extx
8/45
Block Group - A series of consecutive blocks.Each block group is
the same size...with the exception of the lastgroup of the
filesystem
block_size = 1024 bytes : 8192 blocksblock_size = 2048 bytes :
16,384 blocks
block_size = 4096 bytes : 32,768 blocks
ExtX Data Structures
Common sizes (unless overridden by the user)
-
7/27/2019 extx
9/45
Block Group - A series of consecutive blocks.
Each block group is the same size...with the exception of the
lastgroup of the filesystem
block_size = 1024 bytes : 8192 blocksblock_size = 2048 bytes :
16,384 blocks
block_size = 4096 bytes : 32,768 blocks
ExtX Data Structures
Common sizes (unless overridden by the user)
-
7/27/2019 extx
10/45
ExtX Data Structures
Boot CodeFirst 1024 bytes(often unused)
SuperblockStarts at 1024 bytes
Size: 1024 bytesBackup copies at the beginning
of some block groupsDefines filesystem information such as:
- Block size- # of blocks- # of inodes
...much more
(not to scale)
....... ... ...
-
7/27/2019 extx
11/45
ExtX Data Structures
(not to scale)
....... ... ...
Reserved Area(size defined bythe Superblock)
Filesystem area, made up ofblocks and block groups,indexed from
zero
-
7/27/2019 extx
12/45
ExtX Data Structures
Group Descriptor Table Entry(32 bytes):
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
-
7/27/2019 extx
13/45
ExtX Data StructuresGroup Descriptor Table - Contains
informationabout each block group
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Starts in the first block after the Superblock
Backups in some block groups
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
UnusedBlock Bitmap
ptrInode Bitmap
ptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
UnusedBlock Bitmap
ptrInode Bitmap
ptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
UnusedBlock Bitmap
ptrInode Bitmap
ptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
UnusedBlock Bitmap
ptrInode Bitmap
ptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
UnusedBlock Bitmap
ptrInode Bitmap
ptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
-
7/27/2019 extx
14/45
ExtX Data StructuresGroup Descriptor Table - Contains
informationabout each block group
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Starts in the first block after the Superblock
Backups in some block groups
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
..
.
Block Bitmapptr
Inode Bitmapptr
#unallocblocks
Inode Tableptr
#unallocinodes
#dirs
Unused
-
7/27/2019 extx
15/45
ExtX Data Structures
inode
inode
inode
inode
inode
inodeinode
...
Inode Table - One perblock groupInode - 128 byte (default)
Defines:
File type & permissionsOwner/Group
AttributesSize
MAC(D) timesPointers to data blocks
-
7/27/2019 extx
16/45
ExtX Data Structures
inode
inode
inode
inode
inode
inodeinode
...
Inode Table - One perblock groupInode - 128 byte (default)
Defines:
File type & permissionsOwner/Group
AttributesSize
MAC(D) timesPointers to data blocks
-
7/27/2019 extx
17/45
ExtX Data Structures
inode
How inodes point to file data
Inodes may have up to12 direct pointers to
blocks containing data...
-
7/27/2019 extx
18/45
ExtX Data Structures
inode
How inodes point to file data
block_ptr_1
block_ptr_12
block_ptr_11
block_ptr_10
block_ptr_9
block_ptr_8
block_ptr_7
block_ptr_6
block_ptr_5
block_ptr_4
block_ptr_3
block_ptr_2Inodes may have up to12 direct pointers to
blocks containing data...
-
7/27/2019 extx
19/45
ExtX Data Structures
inode
How inodes point to file data
single indirectblock pointer
...or a pointer to a block of pointers
-
7/27/2019 extx
20/45
ExtX Data Structures
inode
How inodes point to file data
double indirectblock pointer
...or double indirection of pointers
-
7/27/2019 extx
21/45
ExtX Data Structures
inode
How inodes point to file data
double indirectblock pointer
...or double indirection of pointers
-
7/27/2019 extx
22/45
ExtX Data Structures
inode
How inodes point to file data
triple indirectblock pointer
...or triple indirection of pointers
-
7/27/2019 extx
23/45
ExtX Data Structures
inode
How inodes point to file data
triple indirectblock pointer
...or triple indirection of pointers
-
7/27/2019 extx
24/45
ExtX Data Structures
Directories - Special cases of files, made up of aseries
ofdirectory entries:
Inode ValueEntryLength
Name Length
ASCII Name
File Type
Entries chain--you must use the entrylength of the current entry
to find the
next entry
-
7/27/2019 extx
25/45
ExtX Data StructuresThejournal is used to record changes
(usually only metadata changes) so the FScan recover from a
crash.
It is pointed to by an inode, specified in thesuperblock.
The journal carries its ownjournal superblock
that defines characteristics & size of thejournal.
Thejournal descriptor entriesdescribe what file system block
each
journal block represents
-
7/27/2019 extx
26/45
ExtX Data Structures
Other Stuff!
Extended attributes Symbolic links
Hash trees
-
7/27/2019 extx
27/45
Example: Finding a fileLets find /etc/rc.local on my Ubuntu VMs
Ext3 Filesystem
-
7/27/2019 extx
28/45
Read the superblock
-
7/27/2019 extx
29/45
Block group 0 starting block Block size (shift of 1024)
Blocks per block group Inodes per block group
-
7/27/2019 extx
30/45
Read the group descriptor tableentry for Group 0
Starting block of inode table
-
7/27/2019 extx
31/45
Read inode 2 (root directory)
Direct block pointer to data
-
7/27/2019 extx
32/45
Read the block containing /sdirectory entries
-
7/27/2019 extx
33/45
inode for /etc
-
7/27/2019 extx
34/45
/etc inode is 0x000fc001= 1032193
8192 inodes per block group(1032193 -1)/8192
= group 126(1032193-1)%8192
= 0th inode in this group
-
7/27/2019 extx
35/45
Starting block of inode table
Read the group descriptor tableentry for Group 126
-
7/27/2019 extx
36/45
Read inode 1032193(0 of this group)
Direct block pointers to data
-
7/27/2019 extx
37/45
Read the block containing /etcsdirectory entries
-
7/27/2019 extx
38/45
inode for /etc/rc.local
-
7/27/2019 extx
39/45
/etc inode is 0x000fc0bd= 1032387
8192 inodes per block group(1032387 -1)/8192
= group 126(1032387-1)%8192
= 194th inode in this group
-
7/27/2019 extx
40/45
Read inode 1032387(194 of this group)
Direct block pointer to data
-
7/27/2019 extx
41/45
...and theres rc.local
-
7/27/2019 extx
42/45
Some Points of
Forensic Interest Superblock-defined FS size vs. Partition
size
Unused areas of file system structures
Backups of superblock and GDT
Blocks marked as unallocated
Impact of deletion on inodes and dir entries
Differences between Ext2 and 3
Using the journal to look at recent events
-
7/27/2019 extx
43/45
Tools that speak ExtX
Sleuthkit/Autopsy
AccessDatas FTK EnCase
dd | xxd | less :-)
-
7/27/2019 extx
44/45
Other Linux/Unix
Files stems Linux
MurderFS ReiserFS
XFS *BSD
UFS
Mac OS X HFS+
-
7/27/2019 extx
45/45
Questions?
![14-04-08- Terrier Extraits€¦ · 4D +KT[UDNLGH Hda[P[P]ST^ UaXbb^]]T]c[TbRWTeTdfSTb\^acb bkPeP]RT [T]cT\T]c [T eXTX[[PaS c^dc aXS~% EPaeT]dy[Pb^daRT^ [kT]UP]RTR^d[PXc X[ aTVPaST](https://img.dokumen.tips/doc/110x75/60609df2b833dc01cc56a015/14-04-08-terrier-extraits-4d-ktudnlgh-hdappst-uaxbbtctbrwtetdfstbacb.jpg)