1 / 18

Understanding File System Metadata and Structure

Explore the essentials of file system metadata, structure, and allocation, including inodes, directories, files, and their relationships. Learn about inode contents, usage, large files, and indirection pointers for efficient data storage.

quin-elliott
Download Presentation

Understanding File System Metadata and Structure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ext* Content Areas Inodes, Directories & Files

  2. Review • Recall …the file system metadata • The superblock describes the file system • The group descriptor table describes the equally sized block groups • The block bitmap tracks group block allocation

  3. Overview • Today: The data metadata and contents • The inode bitmap tracks inode allocation • The inode table is a block that contains the inodes • Inode 2 is the root directory • Each inode contains metadata for, and points to, a file • Directories are just special files that point to inode table entries • File data is found in the content area blocks of the block group

  4. Inode Contents (I) • File size (32 or 64 bit) • 1st 12 content block addresses • 1 single-indirect block address • 1 double-indirect block pointer • Group ID, user ID (not necessarily real) • chown, chgrp • User may not exist in /etc/password • Last Access, modify, change, delete times

  5. Inode Contents (II) • Mode • File type • File, directory, named pipe, Unix socket, block & raw devices • Permissions • Special properties (sticky, SUID, SGID) • Link counter • 0  unallocated inode (or orphaned file, will be unallocated when process ends) • Many supported attributes • “don’t update the Access time for files” • Write-immediate • Append-only • Immutable • Don’t dump (backup) • Extended attributes created by the user (custom attributes)

  6. Inode Structure (I)

  7. Inode Structure (II)

  8. Large Files – Indirect Pointers • With only 12 block addresses, file size is limited (in the basic case) • Single-indirection supports larger files by pointing to a block of addresses • Addresses are 4 bytes, thus each block stores blocksize / 4 address pointers • Double-indirection supports huge files by pointing to a block of single-indirection addresses • Triple-indirection points to a block of double-indirection pointers • This scheme provides efficiency for smaller files, but the ability to grow as large as space allows

  9. Inode Usage • Inodes 1 – 10 are reserved • Inode 2 – root directory • Inode 8 – lost+found • Allocated blocks without an inode are “lost files” • These are pointed to by the lost+found inode • Inode 11 and after – content (files, directories, devices, links, mount points, etc.)

  10. Typical Inode/File Relationship • If the inode represents a Directory • The inode points to a directory block • Each directory entry points back to an inode • If the inode represents a File • The 12 inode block addresses point to the 1st 12 blocks of the file • The single-indirect address points to a block of addresses that are the next m blocks of the file • Double-indirect address points to a block of single-indirect addresses that ultimately point to the next n blocks of the file • Triple-indirect address points to a block of double-indirect addresses

  11. Indirection One Inode (shows pointers only) Blocks in the Group 1 Blocks 4-9 2 Single-Indirect Block 3 … Pointers to content blocks 10 11 12 Single-Indirect Double-Indirect Triple-indirect

  12. Directory Entries • A directory is just a special type file • inode.file mode (type) = directory • Creating a directory allocates blocks of directory entries • Each block stores dynamically sized directory entries (the directory “table”), each describing a file or directory • Size of each entry is variable • Variable filename length • 8 bytes of static information • Entry size is rounded-up to a multiple of 4 • Four entry attributes • Name length (1 byte) • Filename (1-255 chars) • Inode address of the file content • Pointer to next directory entry • Unused entries are “jumped over”

  13. Directory Example • The first two entries are always . and .. • Directory table for new directory Name Name length Record length . 1 12 .. 2 4084 • Add a file Name Name length Record length . 1 12 .. 2 12 File1.dat 8 4072 • Last entry always has the remaining length in the directory block

  14. Directory Entries • Each entry points to the next active entry • Old.txt has been deleted  the entry for F1.txt now points to F2.txt • F2.txt points to the end of the directory block  F2.txt is the last file in the directory . inode 75 .. inode 26 F1.txt inode 95 Old.txt inode 35 F2.txt Inode 29

  15. Links • Links are special types of directory entries • They point to files that already have directory entries • Hard Link • another name for the file, in same file system • The directory entries for . and .. are hard links • OS creates a new directory entry pointing to the original inode • Increments the inode link count • Soft link • another name, points to another file system • OS creates a file of the type “symbolic link” • Each “file’s” inode link count = 1 (or unchanged)

  16. Mount Points • Mount points are special types of directory entries that virtuallyreplace the contents of a directory by redirecting the directory to another file system • FS1 has /dir1/ • FS2 mounts /dir1/ • User cd’s to /dir1 and sees the contents of FS2 • Implication for CF investigations: know where file systems are mounted, or you’ll miss the real contents of /dir1/

  17. Inode Time Changes • Access (A-time) • File: read contents, copy, move to new volume (no change on same volume) • Dir: list contents, open file or subdirectory • Modify (M-time) • File: copy (destination only), change contents • When moving to network file system, might change ( new file) • Dir: file create/delete • Change (C-time) inode metadata • Dir: content change, permissions/ownership change • File: same as Dir, plus when moved • Delete (D-time) • Initially 0 • If D-time == C-time == M-time  likely a deleted file

  18. Analysis Considerations • Sparse blocks exist when the file allocated space, but never used it • A-Time & M-time are easily set to any value using touch • RAM slack space is typically 0’d •  the only valuable slack is in unallocated blocks • De-allocated inodes are purged of size & allocation information •  must analyze the unallocated blocks directly using what is known of allocation algorithms and the file system structures

More Related