Ext content areas
1 / 18

Ext* Content Areas - PowerPoint PPT Presentation

  • Uploaded on

Ext* Content Areas. Inodes, Directories & Files. Review. Recall …the file system metadata The superblock describes the file system The group descriptor table describes the equally sized block groups The block bitmap tracks group block allocation. Overview.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Ext* Content Areas' - ura

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ext content areas

Ext* Content Areas

Inodes, Directories & Files


  • Recall …the file system metadata

    • The superblock describes the file system

    • The group descriptor table describes the equally sized block groups

    • The block bitmap tracks group block allocation


  • Today: The data metadata and contents

    • The inode bitmap tracks inode allocation

    • The inode table is a block that contains the inodes

      • Inode 2 is the root directory

    • Each inode contains metadata for, and points to, a file

    • Directories are just special files that point to inode table entries

    • File data is found in the content area blocks of the block group

Inode contents i
Inode Contents (I)

  • File size (32 or 64 bit)

  • 1st 12 content block addresses

    • 1 single-indirect block address

    • 1 double-indirect block pointer

  • Group ID, user ID (not necessarily real)

    • chown, chgrp

    • User may not exist in /etc/password

  • Last Access, modify, change, delete times

Inode contents ii
Inode Contents (II)

  • Mode

    • File type

      • File, directory, named pipe, Unix socket, block & raw devices

    • Permissions

    • Special properties (sticky, SUID, SGID)

  • Link counter

    • 0  unallocated inode (or orphaned file, will be unallocated when process ends)

  • Many supported attributes

    • “don’t update the Access time for files”

    • Write-immediate

    • Append-only

    • Immutable

    • Don’t dump (backup)

  • Extended attributes created by the user (custom attributes)

Large files indirect pointers
Large Files – Indirect Pointers

  • With only 12 block addresses, file size is limited (in the basic case)

  • Single-indirection supports larger files by pointing to a block of addresses

    • Addresses are 4 bytes, thus each block stores blocksize / 4 address pointers

  • Double-indirection supports huge files by pointing to a block of single-indirection addresses

  • Triple-indirection points to a block of double-indirection pointers

  • This scheme provides efficiency for smaller files, but the ability to grow as large as space allows

  • Inode usage
    Inode Usage

    • Inodes 1 – 10 are reserved

      • Inode 2 – root directory

      • Inode 8 – lost+found

        • Allocated blocks without an inode are “lost files”

        • These are pointed to by the lost+found inode

  • Inode 11 and after – content (files, directories, devices, links, mount points, etc.)

  • Typical inode file relationship
    Typical Inode/File Relationship

    • If the inode represents a Directory

      • The inode points to a directory block

        • Each directory entry points back to an inode

    • If the inode represents a File

      • The 12 inode block addresses point to the 1st 12 blocks of the file

      • The single-indirect address points to a block of addresses that are the next m blocks of the file

      • Double-indirect address points to a block of single-indirect addresses that ultimately point to the next n blocks of the file

      • Triple-indirect address points to a block of double-indirect addresses


    One Inode (shows pointers only)

    Blocks in the Group


    Blocks 4-9


    Single-Indirect Block


    Pointers to









    Directory entries
    Directory Entries

    • A directory is just a special type file

      • inode.file mode (type) = directory

      • Creating a directory allocates blocks of directory entries

        • Each block stores dynamically sized directory entries (the directory “table”), each describing a file or directory

    • Size of each entry is variable

      • Variable filename length

      • 8 bytes of static information

      • Entry size is rounded-up to a multiple of 4

    • Four entry attributes

      • Name length (1 byte)

      • Filename (1-255 chars)

      • Inode address of the file content

      • Pointer to next directory entry

        • Unused entries are “jumped over”

    Directory example
    Directory Example

    • The first two entries are always . and ..

    • Directory table for new directory

      Name Name length Record length

      . 1 12

      .. 2 4084

    • Add a file

      Name Name length Record length

      . 1 12

      .. 2 12

      File1.dat 8 4072

    • Last entry always has the remaining length in the directory block

    Directory entries1
    Directory Entries

    • Each entry points to the next active entry

    • Old.txt has been deleted  the entry for F1.txt now points to F2.txt

    • F2.txt points to the end of the directory block  F2.txt is the last file in the directory


    inode 75


    inode 26


    inode 95


    inode 35


    Inode 29


    • Links are special types of directory entries

      • They point to files that already have directory entries

    • Hard Link

      • another name for the file, in same file system

        • The directory entries for . and .. are hard links

      • OS creates a new directory entry pointing to the original inode

        • Increments the inode link count

    • Soft link

      • another name, points to another file system

      • OS creates a file of the type “symbolic link”

        • Each “file’s” inode link count = 1 (or unchanged)

    Mount points
    Mount Points

    • Mount points are special types of directory entries that virtuallyreplace the contents of a directory by redirecting the directory to another file system

      • FS1 has /dir1/

      • FS2 mounts /dir1/

      • User cd’s to /dir1 and sees the contents of FS2

    • Implication for CF investigations: know where file systems are mounted, or you’ll miss the real contents of /dir1/

    Inode time changes
    Inode Time Changes

    • Access (A-time)

      • File: read contents, copy, move to new volume (no change on same volume)

      • Dir: list contents, open file or subdirectory

    • Modify (M-time)

      • File: copy (destination only), change contents

        • When moving to network file system, might change ( new file)

      • Dir: file create/delete

    • Change (C-time) inode metadata

      • Dir: content change, permissions/ownership change

      • File: same as Dir, plus when moved

    • Delete (D-time)

      • Initially 0

      • If D-time == C-time == M-time  likely a deleted file

    Analysis considerations
    Analysis Considerations

    • Sparse blocks exist when the file allocated space, but never used it

    • A-Time & M-time are easily set to any value using touch

    • RAM slack space is typically 0’d

      •  the only valuable slack is in unallocated blocks

    • De-allocated inodes are purged of size & allocation information

      •  must analyze the unallocated blocks directly using what is known of allocation algorithms and the file system structures