EXT (extended file system)
EXT
EXT is a family of file systems used in mainly linux that are named ext2, ext3 and ext4 with ext4 being the latest and the one most used today. Ext takes its design from UFS (universal file system) which was designed to be fast and used with small files as in linux every think is a file. Ext file systems are divided into groups which have their own superblock (metadata called a group descriptor) and their own inode tables. All groups are the same size expect the last group and the size the groups will be described in the superblock which is like the metadata for the whole file system.
Superblock
The layout of the Ext file system is stored in the superblock which is at the begging of the file system. This can contain information like the block size (which is like clusters if NTFS) which are groups of consecutive sectors, total number of blocks and the number of blocks per group. The Super block is located 1024 bytes from the start of the file system and contains no boot code and only contains configuration data about the file system. Backup copies of this can be in different locations in the file system because if this was stored in one place that would be a single point of failure because if this was to get corrupted the file system wouldn't be able to load correctly and would be hard to recover. This backup copies of the super block are normally stored in the first block of each group in the file system so the amount of backups will be equal to the number of blocks but this can be different. The Super can also keep allocation information like the number of blocks that are free and the number of inode (discussed latter) that are free that are used when a block or inode is allocated.
Groups
As discussed earlier in Ext the file system is split into groups and each group has a group descriptor. A group is like a self contained file system and has all of the its own data like file content, inode tables, inode bitmap (which describes what inodes are allocated), block bitmaps which location can be found in its group descriptor which can be found in the super block.Block bit maps contain a 1 or a 0 depending on if the block that corresponds to the bit address in the block bitmap is allocated or not this can be used to see where data can be allocated from and the same for inodes.
Forensics importance
This can be important to forensics because groups are isolated from each other so if a file is unallocated from a group that has no activity the data may be there for a long time because the data blocks that the file allocated are likely to not be written to for a long time if the group has little activity so can find data in the unallocated space that might be important to the investigation. However with new hardware like ssd that support the trim and discard commands this is unlikely to be case because the block will be completely deleted with one command.
Inodes
An inode is allocated to every file and directory that describes the metadata of the file or directory like the name and permissions. The current versions of EXT use 64 bytes inodes but older ETX file systems will use 32 bytes inodes but the size of the inode will be described in the superblock for the file system. Ownership information for the file that the inode describes uses user id and groups ids like user id 0 for a file owned by root. The type of file is stored in the mode file Mode field this is an important field because everything is a file in linux as such there can be multiple file types like a socket file or a pipe file or a directory file that need to handled differently. Also depending on the size of the file different types of file pointers will be used because if the file takes up more than 12 blocks then will have to use an indirect pointer since a inode can only point to 12 data blocks because of the size. An indirect pointer is a pointer to another block of pointers that can then point to the data and different levels of redirection can be used depending on the size of the file.
In addition to the file type the inode contains permissions like read, write and execute and can have special permissions like sticky bit or suid bit. The link count is interesting because it equals the number of file names that point ot the inode and when this inode reaches 0 and no application has the file open then the file in unallocated. This means that even if the link count the data may still be recoverable if a application had the file open.
Inode tables
There is one inode table in each group and describes the locations of the files in the group and the file names. And the size of the inode table will be (number of blocks in group * size of inode) in bits and is normally stored after the inode bitmap.
Journal
The journal can be useful as it can have recent events and the location of the journal is given in the superblock. The journal records what block updates will occur and after the update it identifies that the update is completed this means if the update is interrupted in between this the ext file system will know and can fix the issues and can maintain the file system integrity. Journeying in ext3 is done block level which means that the entire block is written to the journal even if one bit changes which can be useful in finding historical data in the journal which can be important but the useful of this depends on the size of the journal beacuse once the journal is full the journal will overwrite the historical data.
Difference between the ext file systems
The big difference between the old ext2 file system is that this file system did not support journaling which changed in ext3 when journaling was added. And the difference between ext3 and ext4 is the improved performance in things like less fragmentation and an more precise timestamp on the inodes and can support a larger file system from 2TB for ext2 and ext3 to 16TB on ext4.
Subscribe to my newsletter
Read articles from Luke Sanders directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by