Extended File Systems

Home , Ext2, Ext3, Ext4, Unix File System

Ext2, Ext3 and Ext4 File EXT2 and EXT3 - Based on UFS (Unix File System) - Ext3 adds journaling System File Systems - Ext4 increases capacity and optimizes some features Forensics - Adds ability to use extents (similar to NTFS data runs) Multiple sectors form Blocks - similar concept to FAT/NTFS clusters - smallest allocation unit size Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO Consecutive blocks form Block Groups Inodes - indirect nodes U R I - Contain file metadata - Creation, modification, access and deletion times, ownership and access info, etc. http://www.forensics.cs.uri.edu

Ext Partitions Ext Partitions

0 File Content File Content Inode Record ...... 1024 A block of Direct ...... Superblock Superblock Copy File Content Block Pointers ...... 2048 (4-Bytes each) File Content Group Descriptor Table Common File Metadata File Content File Content File Content Block Group 0 Block Bitmap . . . Direct Block ...... Pointers . . . Inode Bitmap A block of ...... File Content 12 File Content Indirect Block . . . Block Group 1 Inode Record Direct Block Pointers Inode Table . Direct Block File Content Pointers . Pointers . . . (4-Bytes each) . . . Block Group 2 Direct Block File Content File Content Pointers A block of ...... File Content . . . . Indirect Block Pointer Indirect Block ...... Pointers ...... Directory Entries Direct Block . . . File Content . . . . Double Indirect Block . . . Pointers Pointer . . File Content . . A block of Direct Block File Content Double Indirect A block of Pointers Block Group n Block Group Triple Indirect Block File Content . Pointer Block Pointers Indirect Block Pointers Direct Block Pointers File Content

Ext Analysis

EXT2 and EXT3 File Systems

Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO

U R I

http://www.forensics.cs.uri.edu