Ext2 and Ext3 Structure

Superblock structure

• ExtX uses the superblock to store the basic file system category data. It is located 1,024 bytes from the start of the file system and has 1,024 bytes allocated to it.
• contains basic information, such as the block size, the total number of blocks, the number of blocks per block group, and the number of reserved blocks before the first block group, total number of inodes and the number of inodes per block group, ….

Example (Volume name):

• Here is compatible, incompatible and read only compatible features flags.

Example (sparse superblock):

Group Descriptor Tables

• The group descriptor table is a list of group descriptor data structures that is located in the file system block following the superblock.

Example :

• Data bitmap table is in block 3, Inode bitmap table is in block 4, Inode Table is in block 5.

Inodes

• The inode data structure is used to store the metadata for a file or directory. Inodes are
  located in inode tables, which are located in each of the block groups.
• The basic inode data structure is 128 bytes in size.
• Inodes 1 to 10 are typically reserved and should be in an allocated state.
• The journal typically uses inode 8.
• The first user file is typically allocated in inode 11, and this is frequently used for the lost+found directory.

• you begin calc number of skip blocks to reach the inode block after 1024 of boot code.
• Like this, i skipped 4 blocks to go to block 5 which is inode block.

• File mode (type and permission flags)

• We can get all the inode details from the istat command.

• You can list an inode range from a block group using ils command.

Example (Source of a Moved File) :

• In this example we will see how to know if the file or directory is moved to another directory.
• if you know the inode of a file or directory you can know in which range is located in block group.

Block Pointers

1. ExtX, like UFS, was designed for efficiency of small files. Therefore, each inode can store the addresses of the first 12 direct blocks that a file has allocated.
2. If a file needs more than 12 blocks, a block is allocated to store the remaining addresses. The pointer to the block is called an indirect block pointer.
3. If a file has more blocks than can fit in the 12 direct pointers and the indirect block, a double
   indirect block is used.
4. Lastly, if a file needs still more space, it can use a triple indirect block pointer. A triple indirect block contains addresses of double indirect blocks, which contain addresses of single indirect blocks.

Directory Entry

• Directory entries are used to store the name of a file or directory.
• Root Directory is always located in inode 2.

File System Journaling

• A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash.
• The journal is considered a compatible file system feature.
• Ext3 journal typically uses inode 8 although its location is specified in the superblock and can exist anywhere.
• The jls tool in TSK will list the contents of a journal.

Example (recover deleted file content) :

jls ext3-img-kw-1.dd 8 
jcat ext3-img-kw-1.dd 8 2 | xxd
jcat ext3-img-kw-1.dd  8 8 | dd bs=128 skip=5 count=1 | xxd

• I find direct block pointers to block 1210 block.
• So, i skipped 1209 block and the first 1024 (bootcode), and list block 1210.

• when finding nothing in direct blocks, we will go to indirect blocks and extract all these blocks using dd then carving it using foremost.

dd bs=4096 skip=310168 count=141 if=sda6img.dd  of=recover.dd  # this is an example.
foremost -b 4096 -o recovery -t {file-type} recover.dd

Resources

1. Brian Carrier file system forensics <..>
2. Taking advantage of Ext3 journaling file system in a forensic investigation by SANS <..>