Ext content areas
Sponsored Links
This presentation is the property of its rightful owner.
1 / 18

Ext* Content Areas PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Ext* Content Areas. Inodes, Directories & Files. Review. Recall …the file system metadata The superblock describes the file system The group descriptor table describes the equally sized block groups The block bitmap tracks group block allocation. Overview.

Download Presentation

Ext* Content Areas

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Ext* Content Areas

Inodes, Directories & Files


  • Recall …the file system metadata

    • The superblock describes the file system

    • The group descriptor table describes the equally sized block groups

    • The block bitmap tracks group block allocation


  • Today: The data metadata and contents

    • The inode bitmap tracks inode allocation

    • The inode table is a block that contains the inodes

      • Inode 2 is the root directory

    • Each inode contains metadata for, and points to, a file

    • Directories are just special files that point to inode table entries

    • File data is found in the content area blocks of the block group

Inode Contents (I)

  • File size (32 or 64 bit)

  • 1st 12 content block addresses

    • 1 single-indirect block address

    • 1 double-indirect block pointer

  • Group ID, user ID (not necessarily real)

    • chown, chgrp

    • User may not exist in /etc/password

  • Last Access, modify, change, delete times

Inode Contents (II)

  • Mode

    • File type

      • File, directory, named pipe, Unix socket, block & raw devices

    • Permissions

    • Special properties (sticky, SUID, SGID)

  • Link counter

    • 0  unallocated inode (or orphaned file, will be unallocated when process ends)

  • Many supported attributes

    • “don’t update the Access time for files”

    • Write-immediate

    • Append-only

    • Immutable

    • Don’t dump (backup)

  • Extended attributes created by the user (custom attributes)

Inode Structure (I)

Inode Structure (II)

Large Files – Indirect Pointers

  • With only 12 block addresses, file size is limited (in the basic case)

  • Single-indirection supports larger files by pointing to a block of addresses

    • Addresses are 4 bytes, thus each block stores blocksize / 4 address pointers

  • Double-indirection supports huge files by pointing to a block of single-indirection addresses

  • Triple-indirection points to a block of double-indirection pointers

  • This scheme provides efficiency for smaller files, but the ability to grow as large as space allows

  • Inode Usage

    • Inodes 1 – 10 are reserved

      • Inode 2 – root directory

      • Inode 8 – lost+found

        • Allocated blocks without an inode are “lost files”

        • These are pointed to by the lost+found inode

  • Inode 11 and after – content (files, directories, devices, links, mount points, etc.)

  • Typical Inode/File Relationship

    • If the inode represents a Directory

      • The inode points to a directory block

        • Each directory entry points back to an inode

    • If the inode represents a File

      • The 12 inode block addresses point to the 1st 12 blocks of the file

      • The single-indirect address points to a block of addresses that are the next m blocks of the file

      • Double-indirect address points to a block of single-indirect addresses that ultimately point to the next n blocks of the file

      • Triple-indirect address points to a block of double-indirect addresses


    One Inode (shows pointers only)

    Blocks in the Group


    Blocks 4-9


    Single-Indirect Block


    Pointers to









    Directory Entries

    • A directory is just a special type file

      • inode.file mode (type) = directory

      • Creating a directory allocates blocks of directory entries

        • Each block stores dynamically sized directory entries (the directory “table”), each describing a file or directory

    • Size of each entry is variable

      • Variable filename length

      • 8 bytes of static information

      • Entry size is rounded-up to a multiple of 4

    • Four entry attributes

      • Name length (1 byte)

      • Filename (1-255 chars)

      • Inode address of the file content

      • Pointer to next directory entry

        • Unused entries are “jumped over”

    Directory Example

    • The first two entries are always . and ..

    • Directory table for new directory

      NameName lengthRecord length

      . 112


    • Add a file

      NameName lengthRecord length

      . 112



    • Last entry always has the remaining length in the directory block

    Directory Entries

    • Each entry points to the next active entry

    • Old.txt has been deleted  the entry for F1.txt now points to F2.txt

    • F2.txt points to the end of the directory block  F2.txt is the last file in the directory


    inode 75


    inode 26


    inode 95


    inode 35


    Inode 29


    • Links are special types of directory entries

      • They point to files that already have directory entries

    • Hard Link

      • another name for the file, in same file system

        • The directory entries for . and .. are hard links

      • OS creates a new directory entry pointing to the original inode

        • Increments the inode link count

    • Soft link

      • another name, points to another file system

      • OS creates a file of the type “symbolic link”

        • Each “file’s” inode link count = 1 (or unchanged)

    Mount Points

    • Mount points are special types of directory entries that virtuallyreplace the contents of a directory by redirecting the directory to another file system

      • FS1 has /dir1/

      • FS2 mounts /dir1/

      • User cd’s to /dir1 and sees the contents of FS2

    • Implication for CF investigations: know where file systems are mounted, or you’ll miss the real contents of /dir1/

    Inode Time Changes

    • Access (A-time)

      • File: read contents, copy, move to new volume (no change on same volume)

      • Dir: list contents, open file or subdirectory

    • Modify (M-time)

      • File: copy (destination only), change contents

        • When moving to network file system, might change ( new file)

      • Dir: file create/delete

    • Change (C-time) inode metadata

      • Dir: content change, permissions/ownership change

      • File: same as Dir, plus when moved

    • Delete (D-time)

      • Initially 0

      • If D-time == C-time == M-time  likely a deleted file

    Analysis Considerations

    • Sparse blocks exist when the file allocated space, but never used it

    • A-Time & M-time are easily set to any value using touch

    • RAM slack space is typically 0’d

      •  the only valuable slack is in unallocated blocks

    • De-allocated inodes are purged of size & allocation information

      •  must analyze the unallocated blocks directly using what is known of allocation algorithms and the file system structures

  • Login