180 likes | 235 Views
Ext* Content Areas. Inodes, Directories & Files. Review. Recall …the file system metadata The superblock describes the file system The group descriptor table describes the equally sized block groups The block bitmap tracks group block allocation. Overview.
E N D
Ext* Content Areas Inodes, Directories & Files
Review • Recall …the file system metadata • The superblock describes the file system • The group descriptor table describes the equally sized block groups • The block bitmap tracks group block allocation
Overview • Today: The data metadata and contents • The inode bitmap tracks inode allocation • The inode table is a block that contains the inodes • Inode 2 is the root directory • Each inode contains metadata for, and points to, a file • Directories are just special files that point to inode table entries • File data is found in the content area blocks of the block group
Inode Contents (I) • File size (32 or 64 bit) • 1st 12 content block addresses • 1 single-indirect block address • 1 double-indirect block pointer • Group ID, user ID (not necessarily real) • chown, chgrp • User may not exist in /etc/password • Last Access, modify, change, delete times
Inode Contents (II) • Mode • File type • File, directory, named pipe, Unix socket, block & raw devices • Permissions • Special properties (sticky, SUID, SGID) • Link counter • 0 unallocated inode (or orphaned file, will be unallocated when process ends) • Many supported attributes • “don’t update the Access time for files” • Write-immediate • Append-only • Immutable • Don’t dump (backup) • Extended attributes created by the user (custom attributes)
Large Files – Indirect Pointers • With only 12 block addresses, file size is limited (in the basic case) • Single-indirection supports larger files by pointing to a block of addresses • Addresses are 4 bytes, thus each block stores blocksize / 4 address pointers • Double-indirection supports huge files by pointing to a block of single-indirection addresses • Triple-indirection points to a block of double-indirection pointers • This scheme provides efficiency for smaller files, but the ability to grow as large as space allows
Inode Usage • Inodes 1 – 10 are reserved • Inode 2 – root directory • Inode 8 – lost+found • Allocated blocks without an inode are “lost files” • These are pointed to by the lost+found inode • Inode 11 and after – content (files, directories, devices, links, mount points, etc.)
Typical Inode/File Relationship • If the inode represents a Directory • The inode points to a directory block • Each directory entry points back to an inode • If the inode represents a File • The 12 inode block addresses point to the 1st 12 blocks of the file • The single-indirect address points to a block of addresses that are the next m blocks of the file • Double-indirect address points to a block of single-indirect addresses that ultimately point to the next n blocks of the file • Triple-indirect address points to a block of double-indirect addresses
Indirection One Inode (shows pointers only) Blocks in the Group 1 Blocks 4-9 2 Single-Indirect Block 3 … Pointers to content blocks 10 11 12 Single-Indirect Double-Indirect Triple-indirect
Directory Entries • A directory is just a special type file • inode.file mode (type) = directory • Creating a directory allocates blocks of directory entries • Each block stores dynamically sized directory entries (the directory “table”), each describing a file or directory • Size of each entry is variable • Variable filename length • 8 bytes of static information • Entry size is rounded-up to a multiple of 4 • Four entry attributes • Name length (1 byte) • Filename (1-255 chars) • Inode address of the file content • Pointer to next directory entry • Unused entries are “jumped over”
Directory Example • The first two entries are always . and .. • Directory table for new directory Name Name length Record length . 1 12 .. 2 4084 • Add a file Name Name length Record length . 1 12 .. 2 12 File1.dat 8 4072 • Last entry always has the remaining length in the directory block
Directory Entries • Each entry points to the next active entry • Old.txt has been deleted the entry for F1.txt now points to F2.txt • F2.txt points to the end of the directory block F2.txt is the last file in the directory . inode 75 .. inode 26 F1.txt inode 95 Old.txt inode 35 F2.txt Inode 29
Links • Links are special types of directory entries • They point to files that already have directory entries • Hard Link • another name for the file, in same file system • The directory entries for . and .. are hard links • OS creates a new directory entry pointing to the original inode • Increments the inode link count • Soft link • another name, points to another file system • OS creates a file of the type “symbolic link” • Each “file’s” inode link count = 1 (or unchanged)
Mount Points • Mount points are special types of directory entries that virtuallyreplace the contents of a directory by redirecting the directory to another file system • FS1 has /dir1/ • FS2 mounts /dir1/ • User cd’s to /dir1 and sees the contents of FS2 • Implication for CF investigations: know where file systems are mounted, or you’ll miss the real contents of /dir1/
Inode Time Changes • Access (A-time) • File: read contents, copy, move to new volume (no change on same volume) • Dir: list contents, open file or subdirectory • Modify (M-time) • File: copy (destination only), change contents • When moving to network file system, might change ( new file) • Dir: file create/delete • Change (C-time) inode metadata • Dir: content change, permissions/ownership change • File: same as Dir, plus when moved • Delete (D-time) • Initially 0 • If D-time == C-time == M-time likely a deleted file
Analysis Considerations • Sparse blocks exist when the file allocated space, but never used it • A-Time & M-time are easily set to any value using touch • RAM slack space is typically 0’d • the only valuable slack is in unallocated blocks • De-allocated inodes are purged of size & allocation information • must analyze the unallocated blocks directly using what is known of allocation algorithms and the file system structures