Ext2 and Ext3 Structure

# Ext2 and Ext3 Structure ### Superblock structure - ExtX uses the superblock to store the basic file system category data. It is located `1,024` bytes from the start of the file system and has `1,024` bytes allocated to it. - contains basic information, such as the block size, the total number of blocks, the number of blocks per block group, and the number of reserved blocks before the first block group, total number of inodes and the number of inodes per block group, …. ![image](https://hackmd.io/_uploads/HkVubhkyJg.png) ![image](https://hackmd.io/_uploads/HkBFbnyJJg.png) #### Example (Volume name): ![image](https://hackmd.io/_uploads/rkDsW21JJe.png) - Here is `compatible`, `incompatible` and `read only compatible` features flags. ![image](https://hackmd.io/_uploads/SJ-gGh11ke.png) #### Example (sparse superblock): ![image](https://hackmd.io/_uploads/rJqWfnyyyg.png) ### Group Descriptor Tables - The group descriptor table is a list of group descriptor data structures that is located in the file system block following the superblock. ![image](https://hackmd.io/_uploads/ByTXM3J1kg.png) #### Example : - Data bitmap table is in` block 3`, Inode bitmap table is in `block 4`, Inode Table is in `block 5`. ![image](https://hackmd.io/_uploads/rJzFfnyJJl.png) ### Inodes - The inode data structure is used to store the metadata for a file or directory. Inodes are located in inode tables, which are located in each of the block groups. - The basic inode data structure is `128 bytes` in size. - Inodes 1 to 10 are typically reserved and should be in an allocated state. - The journal typically uses `inode 8`. - The first user file is typically allocated in `inode 11`, and this is frequently used for the `lost+found` directory. > - you begin calc number of skip blocks to reach the inode block after 1024 of boot code. > - Like this, i skipped 4 blocks to go to block 5 which is inode block. ![image](https://hackmd.io/_uploads/HkyQmnJ1yg.png) ![image](https://hackmd.io/_uploads/BJyNXh1JJg.png) ![image](https://hackmd.io/_uploads/SyeSm211yg.png) - File mode (type and permission flags) ![image](https://hackmd.io/_uploads/HkwPmnkyJl.png) - We can get all the inode details from the `istat` command. ![image](https://hackmd.io/_uploads/SJBKQ3y1kx.png) - You can list an inode range from a block group using `ils` command. #### Example (Source of a Moved File) : - In this example we will see how to know if the file or directory is moved to another directory. - if you know the inode of a file or directory you can know in which range is located in block group. ![image](https://hackmd.io/_uploads/BkR6m3J11e.png) #### Block Pointers 1. ExtX, like UFS, was designed for efficiency of small files. Therefore, each inode can store the addresses of the first 12 direct blocks that a file has allocated. 2. If a file needs more than 12 blocks, a block is allocated to store the remaining addresses. The pointer to the block is called an indirect block pointer. 3. If a file has more blocks than can fit in the 12 direct pointers and the indirect block, a double indirect block is used. 4. Lastly, if a file needs still more space, it can use a triple indirect block pointer. A triple indirect block contains addresses of double indirect blocks, which contain addresses of single indirect blocks. ![image](https://hackmd.io/_uploads/H11Ua3kkyg.png) ### Directory Entry - Directory entries are used to store the name of a file or directory. - Root Directory is always located in `inode 2`. ![image](https://hackmd.io/_uploads/BkpZV3kkke.png) ![image](https://hackmd.io/_uploads/S1ufEnkkkx.png) ![image](https://hackmd.io/_uploads/Sy_mEhJkkg.png) ### File System Journaling - A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash. - The journal is considered a compatible file system feature. - Ext3 journal typically uses `inode 8` although its location is specified in the superblock and can exist anywhere. - The `jls` tool in TSK will list the contents of a journal. ![image](https://hackmd.io/_uploads/HJG8V21k1x.png) ![image](https://hackmd.io/_uploads/S1YUEhy1ye.png) #### Example (recover deleted file content) : ``` jls ext3-img-kw-1.dd 8 jcat ext3-img-kw-1.dd 8 2 | xxd jcat ext3-img-kw-1.dd 8 8 | dd bs=128 skip=5 count=1 | xxd ``` ![image](https://hackmd.io/_uploads/HyPIAOlykg.png) ![image](https://hackmd.io/_uploads/ByClStlJkx.png) - I find direct block pointers to block `1210` block. - So, i skipped 1209 block and the first 1024 (bootcode), and list block 1210. ![image](https://hackmd.io/_uploads/Bkay4Fe1yl.png) - when finding nothing in direct blocks, we will go to indirect blocks and extract all these blocks using `dd` then carving it using `foremost`. ``` dd bs=4096 skip=310168 count=141 if=sda6img.dd of=recover.dd # this is an example. foremost -b 4096 -o recovery -t {file-type} recover.dd ``` ### Resources 1. Brian Carrier file system forensics [<..>](https://github.com/Urinx/Books/blob/master/Forensic/File%20System%20Forensic%20Analysis.pdf) 2. Taking advantage of Ext3 journaling file system in a forensic investigation by SANS [<..>](https://sansorg.egnyte.com/dl/lFk7FPqFu6) <div style="width:100%;height:0;padding-bottom:48%;position:relative;"><iframe src="https://giphy.com/embed/hRqxN8UbaaGuA" width="100%" height="100%" style="position:absolute" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div><p><a href="https://giphy.com/gifs/remix-the-end-barton-fink-hRqxN8UbaaGuA"></a></p>