Ext2 and Ext3 Filesystems

Intro to the data structures, and points of interest for forensic examiners Wesley McGrew wesley@mcgrewsecurity.com

 Primary source for this material One of the most interesting

and well-written textbooks youve ever purchased ninja

Reading it will turn you into a

Caveats
There are two chapters of material 14 - Concepts 15 - Specics of data structures Much more detail in the book Ext2/3 are open source Moving target :)

Partition Table

Linux Swap

Linux Filesystem Mount point: /

MBR

Partition Table

Linux Swap

Linux Filesystem Mount point: /

Operating system needs to use this space for storing: Directories, Files, Information about Block & Character MBR Devices

What is ExtX?
A set of data structures for storing
and deallocate space information and describing its location and metadata

Algorithms for deciding how to allocate

ExtX Data Structures

- Block : Group of consecutive sectors, Divides the lesystem up into data units. Blocks may contain le data, or le system data structures described in future slides Size dened at lesystem creation time: 1024 bytes 2048 bytes 4096 bytes

ExtX Data Structures

Block Group - A series of consecutive blocks. Each block group is the same size ...with the exception of the last group of the lesystem Common sizes (unless overridden by the user) block_size = 1024 bytes : 8192 blocks block_size = 2048 bytes : 16,384 blocks block_size = 4096 bytes : 32,768 blocks

ExtX Data Structures

............ Block Group - A series of consecutive blocks. Each block group is the same size ...with the exception of the last group of the lesystem Common sizes (unless overridden by the user) block_size = 1024 bytes : 8192 blocks block_size = 2048 bytes : 16,384 blocks block_size = 4096 bytes : 32,768 blocks

ExtX Data Structures

(not to scale)
... ...

.... Superblock

...

Boot Code First 1024 bytes (often unused)

Starts at 1024 bytes Size: 1024 bytes Backup copies at the beginning of some block groups Denes lesystem information such as: - Block size - # of blocks - # of inodes ...much more

ExtX Data Structures

(not to scale)
... ...

....

...

Reserved Area (size dened by the Superblock)

Filesystem area, made up of blocks and block groups, indexed from zero

ExtX Data Structures

Group Descriptor Table Entry (32 bytes):
Block Bitmap ptr Inode Bitmap ptr Inode Table ptr # unalloc blocks # unalloc inodes # dirs Unused

Group Descriptor Table - Contains information about each block group

ExtX Data Structures

Block Bitmap ptr

Inode Bitmap ptr

Inode Table ptr

# unalloc blocks

# unalloc inodes

# dirs

Unused

. . .

Starts in the rst block after the Superblock Backups in some block groups

Group Descriptor Table - Contains information about each block group

Block Bitmap ptr Block Bitmap ptr Block Bitmap ptr Inode Bitmap ptr Inode Bitmap ptr Inode Bitmap ptr Inode Table ptr Inode Table ptr Inode Table ptr # unalloc blocks # unalloc blocks # unalloc blocks # unalloc blocks # unalloc blocks # unalloc inodes # unalloc inodes # unalloc inodes # unalloc inodes # unalloc inodes # unalloc inodes # dirs # dirs # dirs Unused Unused

ExtX Data Structures

Unused

Block Bitmap ptr

Inode Bitmap ptr

Inode Table ptr

# dirs

Unused

Block Bitmap ptr Block Bitmap ptr

Inode Bitmap ptr Inode Bitmap ptr

Inode Table ptr Inode Table ptr

# dirs # dirs

Unused

. . .

# unalloc blocks

Unused

Block Bitmap ptr

Inode Bitmap ptr

Inode Table ptr

# unalloc blocks

# unalloc inodes

# dirs

Unused

Starts in the rst block after the Superblock Backups in some block groups

ExtX Data Structures

Inode - 128 byte (default) Denes: File type & permissions Owner/Group Attributes Size MAC(D) times Pointers to data blocks Inode Table - One per block group
inode inode inode inode inode inode

. . .

inode

ExtX Data Structures

Inode - 128 byte (default) Denes: File type & permissions Owner/Group Attributes Size MAC(D) times Pointers to data blocks Inode Table - One per block group
inode inode inode inode inode inode

. . .

inode

ExtX Data Structures

How inodes point to le data
inode block_ptr_1 block_ptr_2 block_ptr_3 block_ptr_4 block_ptr_5 block_ptr_6 block_ptr_7 block_ptr_8 block_ptr_9 block_ptr_10 block_ptr_11 block_ptr_12

Inodes may have up to 12 direct pointers to blocks containing data...

ExtX Data Structures

How inodes point to le data
inode block_ptr_1 block_ptr_2 block_ptr_3 block_ptr_4 block_ptr_5 block_ptr_6 block_ptr_7 block_ptr_8 block_ptr_9 block_ptr_10 block_ptr_11 block_ptr_12

Inodes may have up to 12 direct pointers to blocks containing data...

ExtX Data Structures

How inodes point to le data
inode

single indirect block pointer

block of pointers to data blocks

...or a pointer to a block of pointers

ExtX Data Structures

How inodes point to le data
inode

double indirect block pointer

pointers block of to pointers single indirect to data blocks

...or double indirection of pointers

ExtX Data Structures

How inodes point to le data
inode
block of pointers to data blocks block of pointers to data blocks

double indirect block pointer

pointers to single indirect blocks

block of pointers to data blocks

block of pointers to data blocks

...or double indirection of pointers

ExtX Data Structures

How inodes point to le data
inode

triple indirect block pointer

block of block of pointers pointers block block of of pointers to pointers to double pointers pointers to double doubleto data indirect indirect to to data data indirect blocks blocks blocks blocks blocks

...or triple indirection of pointers

ExtX Data Structures

How inodes point to le data
block of pointers to data blocks

inode
pointers to double indirect blocks

block of pointers to data blocks

triple indirect block pointer

block of pointers to doubleindirect blocks

block of pointers to data blocks

pointers to double indirect blocks

block of pointers to data blocks

block of pointers to data blocks

pointers to double indirect blocks

block of pointers to data blocks

block of pointers to data blocks

...or triple indirection of pointers

ExtX Data Structures

Directories - Special cases of les, made up of a series of directory entries:
Name Length Entry Length

Inode Value

ASCII Name

File Type

Entries chain--you must use the entry length of the current entry to nd the next entry

ExtX Data Structures

The journal is used to record changes (usually only metadata changes) so the FS can recover from a crash. It is pointed to by an inode, specied in the superblock.
The journal carries its own journal superblock that denes characteristics & size of the journal.

The journal descriptor entries describe what le system block each journal block represents

ExtX Data Structures

Other Stuff! Extended attributes Symbolic links Hash trees

Example: Finding a le
Lets nd /etc/rc.local on my Ubuntu VMs Ext3 Filesystem

Read the superblock

Block group 0 starting block

Block size (shift of 1024)

Blocks per block group

Inodes per block group

Starting block of inode table

Read the group descriptor table entry for Group 0

Direct block pointer to data

Read inode 2 (root directory)

Read the block containing /s directory entries

inode for /etc

/etc inode is 0x000fc001 = 1032193 8192 inodes per block group (1032193 -1)/8192 = group 126 (1032193-1)%8192 = 0th inode in this group

Starting block of inode table

Read the group descriptor table entry for Group 126

Direct block pointers to data

Read inode 1032193 (0 of this group)

Read the block containing /etcs directory entries

inode for /etc/rc.local

/etc inode is 0x000fc0bd = 1032387 8192 inodes per block group (1032387 -1)/8192 = group 126 (1032387-1)%8192 = 194th inode in this group

Direct block pointer to data

Read inode 1032387 (194 of this group)

...and theres rc.local

Some Points of Forensic Interest

Superblock-dened FS size vs. Partition size Unused areas of le system structures Backups of superblock and GDT Blocks marked as unallocated Impact of deletion on inodes and dir entries

Differences between Ext2 and 3

Using the journal to look at recent events

Tools that speak ExtX

Sleuthkit/Autopsy AccessDatas FTK EnCase dd | xxd | less :-)

Other Linux/Unix Filesystems

Linux

MurderFS ReiserFS XFS UFS HFS+

*BSD Mac OS X

Questions?