Unix File Systems - Santa Clara University's School of
Download
Report
Transcript Unix File Systems - Santa Clara University's School of
Computer Forensics
COEN 252
File systems can be extent-based
Or, file systems can be inode-based
Unix file systems usually come in two layers:
◦ E.g. NTFS
◦ Storage space is allocated in extents, large sets of
contiguous blocks
◦ Metadata often located in a single, central database such
as the MFT in NTFS
◦ UNIX and derivatives
◦ More flexible, but more overhead
Disk layout
Veneer layer
◦ Allows splitting kernel into file-system dependent and
non-file system dependent part
Allocation of disk space to files is done with
blocks.
Choice of block size is fundamental
◦ Block size small: Needs to store much location
information
◦ Block size large: Disk capacity wasted in partially
used blocks (at the end of file)
Typical Unix block sizes are 4KB and 8KB
Inodes are fixed sized metadata describing
the layout of a file
Inode structure:
◦ i_mode (directory IFDIR, block special file (IFBLK), character
special file (IFCHR), or regular file (IFREG)
◦ i_nlink
◦ i_uid (user id)
◦ i_gid (group id)
◦ i_size (file size in bytes)
◦ i_addr (an array that holds addresses of blocks)
◦ i_mtime (modification time & date)
◦ i_atime (access time & date)
Metadata in Inode is space-limited
◦ Number of block addresses in a single inode only
suffices for small files
◦ Use (single and double) indirect inodes to find
space for all blocks in a file
Unix File Systems use inode numbers to refer
internally to files.
◦ Classical Unix used a file table to mediate between users
and their open files.
◦ File table have references to the inodes of open files.
General design
◦ Need to find free blocks: e.g. block bitmap
◦ Need to find free inodes: e.g. inode bitmap
◦ Inodes are located often in a designated area of the disk
partition. (Inode Table)
◦ Data blocks often located in a designated area of the disk
partition.
◦ Since this can create long actuator movements between
metadata lookup and data block lookup, use Block Groups
in EXT2
Divide partition in groups, where each group has this structure
On-Disk Layout.
Superblock
contains data on
the file system.
Disk Layout not uniform.
Ext2 (Linux) file system layout.
Overview
Ext superblock:
◦ Located 1024 B from start of the file system.
◦ Backups of superblock are usually stored in the first
block of each block group.
◦ Contains basic information:
Block size
Total number of blocks
Number of reserved blocks
Byte
Description
0-3B
Number of inodes in file system
4-7B
Number of blocks in file system
8-11B
Number of blocks reserved to prevent file system from filling up
12-15B
Number of unallocated blocks.
16-19B
Number of unallocated inodes.
20-23B
Block where block group 0 starts
24-27B
Block size. (Saved as the number of places to shift 1,024 to the left).
28-31B
Fragment size. (Saved as the number of places to shift 1,024 to the left).
32-35B
Number of blocks in each group.
36-39B
Number of fragments in each block group
40-43B
Number of inodes in each block group.
44-47B
Last mount time.
48-51B
Last written time.
52-53B
Current mount time.
54-55B
Maximum mount count
Byte
Description
56-57B
Signature 0xef53
58-59B
File system state
60-61B
Error handling method
62-63B
Minor Version
64-67B
Last consistency check time.
68-71B
Interval between forced consistency checks
72-75B
Creator OS
76-79B
Major version
80-81B
UID that can use reserved blocks.
82-83B
GID that can use reserved blocks.
84-87B
First non-reserved inode in file system
88-89B
Size of each inode structure
90-91B
Block group that this superblock is part of (if this is the backup copy)
92-95B
Compatibility feature flags
96-99B
Incompatibile feature flags
Byte
Description
100-103
Read only feature flags
104-119
File system ID
120-135
Volume name
136-199
Path were last mounted on
200-203
Algorithm usage bitmap
204
Number of blocks to preallocate for files.
205
Number of blocks to preallocate for directories
208-223
Journal ID
224-227
Journal Inode
228-231
Journal device
232-235
Head of orphan inode list
2361023
Unused
Group Descriptor Table
◦ In the block following superblock
◦ Describes all block groups in the system
Group
◦
◦
◦
◦
◦
◦
Descriptor Table Entries
0-3 starting block address of block bitmap
4-7 starting block address of inode bitmap
8-11 starting block address of inode table
12-13 number of unallocated blocks in group
14-15 number of unallocated inodes in group
16-17 number of directories in group
Total number of blocks includes Reserved
area and all groups.
Blocks per group determines size of group.
Block Group Descriptor Table
◦ Located in block following the superblock
◦ Basic layout of a block group:
◦ Block bitmap takes exactly one block.
◦ Inode bitmap manages allocation status of
inodes.
Number of blocks = bits in bitmap = bits in a block
(namely the bitmap block).
◦ Size of block determines number of blocks in a block
group!
Inode bitmap starting address contained in block
descriptor table.
Size of Inode bitmap given by #inodes per group
divided by 8.
Block group descriptor table gives starting block
for inode table.
Size of inode table = 128B * number of inodes.
Boot Code
◦ If exists, will be in the 1024B before the
superblock.
Many Linux systems have a boot loader in the
MBR.
◦ In this case, there will be no additional boot code.
Data stored in blocks.
◦ Typical block sizes are 1,024B; 2048B; or 4096B
Allocation status of a block determined by
the group’s block bitmap
Analyzing content:
◦ Locate any block
◦ Read its contents
◦ Determine its allocation status
First block starts in the first sector of the file
system. Block size is given by superblock.
Determining allocation status:
◦ Determine the block group to which the block
belongs.
◦ Locate the groups entry in the group descriptor
table to find out where the block bitmap is stored.
◦ Process the block bitmap to find out whether this
block is allocated or not.
To find all unallocated blocks:
◦ Systematically go through the block bitmap and
look for 0 bit entries.
◦ Status of reserved sectors at the beginning is less
clear since there are no bitmap entries for them.
Metadata is stored in the inode data
structure.
All inodes have the same size specified in the
superblock.
Inodes have addresses starting with 1.
Inodes in each group are in a table with
address given by the group descriptor.
group = (inode – 1) / INODES_PER_GROUP
Inodes 1 – 10 are typically reserved.
Superblock has the value of the first nonreserved inode.
◦
◦
◦
◦
Inode 1 keeps track of bad blocks.
Inode 2 contains the root directory
Journal uses Inode 8
First user file in Inode 11, typically for lost+found
Inode can store the address of the first 12
data blocks of a file.
For larger files, we use double indirect and
triple indirect block pointers
Allocation Algorithms
◦ Block group:
Non-directories are allocated in the same block group as
parent directory, if possible.
Directory entries are put into underutilized groups.
◦ Contents of allocated inode are cleared and MAC
times set to the current system time.
◦ Deleted files have their inode link value
decremented.
If the link value is zero, then it is unallocated.
If a process still has the file open, it becomes an orphan
file and is linked to the superblock.
Inode Structure
◦
◦
◦
◦
◦
◦
◦
0-1 File Mode (type and permissions)
2-3 Lower 16 bits of user ID
4-7 Lower 32 bits of size in bytes
8-11 Access Time
12-15 Change Time
16-19 Modification Time
20-23 Deletion Time
Inode Structure
◦
◦
◦
◦
◦
◦
◦
◦
24-25 Lower 16 bits of group ID
26-27 Link count
28-31 Sector count
32-35 Flags
36-39 Unused
40 – 87 12 direct block pointers
88-91 1 single indirect block pointer
92-95 1 double indirect block pointer
Inode Structure
◦
◦
◦
◦
◦
◦
96-99 1 indirect block pointer
100 – 103 Generation number (NFS)
104 – 107 Extended attribute block
108 – 111 Upper 32 bits of size / Directory ACL
112 – 115 Block address of fragment
116 Fragment index in block
Inode Structure
◦
◦
◦
◦
◦
117
118
120
122
124
Fragment Size
– 119 Unused
– 121 Upper 16 bits of user ID
– 123 Upper 16 bits of group ID
– 127 Ununsed
Inode Structure
◦ Permission flags of the file mode field
0x001
0x002
0x004
0x008
0x010
0x020
0x040
0x080
0x100
Other – execute permission
Other – write permission
Other – read permission
Group – execute permission
Group – write permission
Group – read permission
User – execute permission
User – write permission
User – read permission
Inode Structure
◦ Flags for bits 9 – 11 of the file mode field
0x200 Sticky bit (save text image)
0x400 Set Group ID
0x800 Set User ID
Inode Structure
◦ File mode field
These are values not flags
0x1000 FIFO
0x2000 Character device
0x4000 Directory
0x6000 Block device
0x8000 Regular file
0xA000 Symbolic link
0xC000 Unix socket
Time Values
◦ Are stored as seconds since January 1, 1970,
Universal Standard Time
◦ Get ready for the Year 2038 problem.
Linux updates (in general)
◦ A-time, when the content of file / directory is
read.
For a file:
If a process reads the file.
When the file is copied.
When the file is moved to a new volume.
But not if the file is moved within a volume.
For a directory
When a directory listing is done.
When a file or subdirectory is opened.
Linux updates (in general)
◦ M-time, when the content of file / directory is
modified.
For a file:
If file contents change.
For a directory
When a file is created or deleted inside the directory.
When a file is copied, the M-time is not changed.
However, when a file is copied to a network drive, the
network server might consider it a new file and reset the Mtime to the current time.
Linux updates (in general)
◦ C-time corresponds to the last inode change.
When file / directory is created.
When permissions change.
When contents change.
◦ D-time is set only if a file is deleted.
When a file is created, then D-time is set to 0.
Unallocated inodes contain temporary data.
◦ M-, C-, D-time values might show when the file
was deleted.
Users can change A- and M-time with the
touch command.
Linux fills slack space (unused bytes of block)
with zeroes.
Data from deleted files will only exist in
unallocated blocks.
File size and allocated blocks will probably be
wiped from unallocated inode entries.
Linux file hiding technique:
◦ Have a process open a file for reading or writing.
◦ Delete the file name.
◦ Link count for the inode is zero, but inode is not
unallocated.
◦ The file system should add the orphan inode to a
list in the superblock.
Directory Structure
◦ A directory entry consists of
A variable length name.
The inode number with the metadata of the entry.
◦ The original byte allocation is as follows:
0-3
4-5
6-7
8-
Inode value
Length of entry
Length of name
Name in ASCII
Directory Structure
◦ The improved byte allocation is as follows:
0-3 Inode value
4-5 Length of entry
6 Length of name (up to 255 now)
7 File type
0 unknown
1
2
3
4
5
6
7
regular file
directory
character device
block device
FIFO
Unix Socket
Symbolic link
8- Name in ASCII
The record entry length allows the file
system to find the next entry in a
directory.
If a directory entry is deleted, then the
previous entries length is increased.
When FS is created, a Linux user can decide
to use hash trees instead.
◦ Directory entries are no longer in an unsorted list.
◦ A directory using a hash tree contains multiple
blocks, the nodes in the tree.
First block contains the “.” and “..” directory entries.
Links
◦ Hard link: an additional file/directory name.
Implemented by another directory entry pointing to the
same inode.
Link count in inode is incremented.
Directory link count is 2 + number of subdirectories
File system cannot distinguish between the first and
the second name of file.
Links
◦ Soft link: an additional file/directory name.
Implemented by a directory entry pointing to
another inode.
Inode points to a file, that contains the path to the
original file.
Mount Point Example
◦ FS1 has directory /dir1.
◦ If FS2 is mounted on /dir1 and a user changed into
/dir1, then only FS2 is shown.
EXT hiding technique uses a directory
(containing the files to be hidden) as a mount
point.
Forensics tools tend to not give mount
points.
◦ Consequentially, this hiding technique falls flat for
forensics tools.
EXT3 journal located at inode 8 (typically)
Journal records transactions
◦ Block updates about to occur.
◦ Log of update after the fact.
Two modes:
◦ Only metadata blocks are journaled.
◦ Metadata and data blocks are journaled.
Ext3 Journal gives additional information
about recent events.
http://www.nondot.org/sabre/os/files/FileSy
stems/ext2fs/
http://www.nongnu.org/ext2-doc/
Maintaining consistency in file systems after a
crash is difficult
◦ 1970s: Possible to read complete file system metadata
and piece it together
Log Structured File System (Osterhoot,
Mendelbaum, 1990)
◦ Maintain all data, including metadata in a single log
◦ Only write to the end of the log
◦ Currently not used, but idea appears always attractive
Journaling File System
◦ Maintain a log of all metadata changes.
◦ After a crash, find point in journal where the file system
was consistent, then roll forward from there
Forensic potential of journaling file systems has not yet been
realized
The Coroner’s Toolkit (TCT)
◦ http://www.porcupine.org/forensics/tct.html
grave-robber
pcat, ils, icat, file
unrm and lazarus
Mactime
TCTUtils (Brian Carrier)
Sleuth Kit (Brian Carrier)
Autopsy Forensics Browser
Commercial tools (Encase, FTK, … )
◦ http://www.digital-evidence.org/index.html
◦ http://www.sleuthkit.org/sleuthkit/desc.php
◦ GUI for TCT and TCTUtils
◦ http://www.sleuthkit.org/autopsy/desc.php