本文详细介绍了Linux UNIX EXT文件系统的内部工作原理,包括文件的存储结构、超级块、INODE的作用及文件删除后的数据恢复可能性等内容。
>> Linus EXT file systems are derived from the UNIX file system.
>> Linus EXT文件系统派生自UNIX文件系统。
I will focus on the basics of EXT file systems
and then explain how forensic tools access the basic structure to identify information.
我将重点介绍EXT文件系统的基础知识,然后解释法医工具如何访问基本结构来识别信息。
When a partition has a file system installed,
the partition has an organized structure for files.
当一个分区安装了一个文件系统时,该分区具有文件的组织结构。
This is basically what the file system is for.
这就是文件系统的基本用途。
When an EXT file system is installed,
the partition contains an optional boot block and superblock.
安装EXT文件系统时,分区包含可选的引导块和超块。
The superblock defines the data structures and the boundaries of this file system.
超级块定义了这个文件系统的数据结构和边界。
The information in superblock includes block size, in Linux UNIX file systems,
a block is the smallest unit to store information.
超级块中的信息包括块大小,在Linux UNIX文件系统中,块是存储信息的最小单元。
If the block size is 1024 bytes, a file with eight bytes will have to use one block.
如果块大小是1024字节,那么包含8字节的文件必须使用一个块。
Like the block size, the number of blocks in a group is fixed when the file system is created.
与块大小一样,组中的块数量在创建文件系统时是固定的。
It also includes block and INODE bitmap.
它还包括块和INODE位图。
The bitmap contains zero and one.
位图包含0和1。
One means the block or INODE is in use.
一个意味着块或INODE正在使用。
The number of free blocks and the number of free INODE
in the file system is also recorded in superblock.
文件系统中的空闲块数和空闲INODE数也记录在超块中。
It also indicates the first INODE number in the file system.
它还指示文件系统中的第一个INODE编号。
The first INODE in EXT2, 3, 4 file system is the INODE for the system root directory.
EXT2、3、4文件系统中的第一个INODE是系统根目录的INODE。
It is clear that data is saved in blocks, but what is really INODE for?
很明显,数据是以块的形式保存的,但是INODE真正的用途是什么呢?
INODE contains metadata information about a file.
INODE包含关于文件的元数据信息。
In Linux UNIX systems, each file has a correspondent INODE.
在Linux UNIX系统中,每个文件都有对应的INODE。
However, multiple files may share a same INODE.
但是,多个文件可以共享同一个INODE。
The number of files pointed to the same INODE is called a link count.
指向相同INODE的文件数量称为链接计数。
The metadata stored in INODE includes file type, owner, file permissions,
file's last modification, access, and INODE changing times, link count,
and the file's data block addresses that store the actual file contents.
存储在INODE中的元数据包括文件类型、所有者、文件权限、文件的最后修改、访问和INODE更改时间、链接计数,以及存储实际文件内容的文件数据块地址。
The content of a directory is a list of directories representing files
and subdirectories that reside in this directory.
目录的内容是代表该目录中的文件和子目录的目录列表。
Each entry contains a file directory name and its correspondent item number.
每个条目包含一个文件目录名及其对应的项编号。
Therefore, the mapping information between INODE number
and the file name is stored in a directory.
因此,INODE编号与文件名之间的映射信息存储在一个目录中。
When you run cat /etc/myconfig,
how does the file system locate the content of the file?
当您运行cat /etc/myconfig时,文件系统如何定位文件的内容?
Let's walk through the process of finding the data content for a given file name.
让我们遍历查找给定文件名的数据内容的过程。
The file names start with slash.
文件名以斜杠开始。
From the superblock, we have the information of the first INODE number correspondent to slash.
从超块中,我们获得了第一个与斜杠相对应的INODE号的信息。
Let's assume it is INODE zero.
假设它是INODE 0。
We read the information stored in INODE zero, since it is a directory,
you will find out the INODE type is directory and you will get data block addresses
for slash for INODE zero's content.
我们读取存储在INODE zero中的信息,因为它是一个目录,所以您将发现INODE类型是directory,并且您将获得用于INODE zero内容斜杠的数据块地址。
Go to slash data block addresses.
去斜杠数据块地址。
It contains the list of files and subdirs contained in slash.
它包含斜杠中包含的文件和子目录的列表。
Subdir exe along with its correspondent INODE number should be in this list.
Subdir exe及其对应的INODE号应该在这个列表中。
If not, it will display an error message of cannot locate /etc/myconfig.
如果不是,它将显示一条错误消息,无法找到/etc/myconfig。
Knowing the INODE number for exe, we will read this INODE's content.
知道exe的INODE编号后,我们将读取该INODE的内容。
Since /etc is a directory, you will find out the INODE type is directory
and then you will get the data block addresses for /etc.
因为/etc是一个目录,你会发现INODE类型是目录,然后你会得到/etc的数据块地址。
Go to the data block addresses of /etc.
转到/etc的数据块地址。
Because it is a directory, it contains a list of files
and subdirectories that reside in /etc.
因为它是一个目录,所以它包含一个文件列表和驻留在/etc中的子目录。
File name myconfig along with its correspondent INODE number should be in this list.
文件名myconfig及其对应的INODE号应该在这个列表中。
If not, again, error message will be displayed.
否则,错误消息将再次显示。
Knowing the INODE number of /etc/ myconfig, we will read this INODE's content.
知道/etc/ myconfig的INODE编号后,我们将读取该INODE的内容。
Since /etc/myconfig is a regular file, you will find out the INODE type is file.
因为/etc/myconfig是一个常规文件,所以您将发现INODE类型是file。
And you will get the data block addresses for this file.
你会得到这个文件的数据块地址。
Go to the data block addresses of /etc/myconfig.
转到/etc/myconfig的数据块地址。
Because it is a regular file, we will have the file content in the data block.
因为它是一个常规文件,所以我们将在数据块中包含文件内容。
Now, if you look at a diagram by Brian Carrier in a paper,
Why Recovering a Deleted EXT3 File is Difficult, you should be clear
about how a EXT file system locates file content based on a file name.
现在,如果您在一篇文章中查看Brian Carrier的图表,为什么很难恢复删除的EXT3文件,那么您应该清楚EXT文件系统如何根据文件名定位文件内容。
We have gone that far to learn the connections between file name to its content
because we are interested in knowing what happened when we delete a file.
我们已经深入了解了文件名与其内容之间的关系,因为我们想知道删除文件时发生了什么。
Can we retrieve the deleted file even though the OS will not help us?
即使操作系统不能帮助我们,我们还能检索被删除的文件吗?
The answer varies depending on file systems implementations.
答案取决于文件系统实现。
For example, Microsoft's FAT file system will mark the file
as deleted by renaming the file name.
例如,Microsoft的FAT文件系统将通过重命名文件名将文件标记为已删除。
The Berkeley Fast File System usually breaks all the connections
between directory entry and the file data blocks.
Berkeley快速文件系统通常断开目录条目和文件数据块之间的所有连接。
What happened to Linux UNIX EXT file system?
Linux UNIX EXT文件系统发生了什么?
First, let's see what happened when we create a new file.
首先,让我们看看创建新文件时发生了什么。
Each file has its content stored in blocks, its metadata stored in INODE, and its file name
and INODE mapping stored in its parent directory.
每个文件的内容存储在块中,元数据存储在INODE中,文件名和INODE映射存储在其父目录中。
When a new file-- not a hotlink-- is created, a free INODE is chosen from the INODE bitmap.
创建新文件(而不是热链接)时,将从INODE位图中选择一个空闲的INODE。
The superblock free INODE values are decremented by one.
无超块的INODE值将减少1。
An entry is added in the parent directory.
在父目录中添加一个条目。
Free data blocks are chosen from the block bitmap to store the file content.
从块位图中选择空闲数据块来存储文件内容。
Finally, the INODE content is viewed.
最后,查看INODE内容。
What will happen when a file is deleted in EXT2 file system?
在EXT2文件系统中删除文件时会发生什么情况?
The data blocks in the block bitmap are marked as free.
块位图中的数据块被标记为空闲。
The INODE in INODE bitmap is marked as free.
INODE位图中的INODE标记为空闲。
The director entry is marked as unused.
director条目被标记为未使用。
The connections among directory entry, INODE,
and the file data blocks will still be there until they are overwritten.
目录条目、INODE和文件数据块之间的连接仍然存在,直到它们被覆盖。
Therefore, if the directory entry information is still available, you still can find the mapping
between the file name and its INODE.
因此,如果目录条目信息仍然可用,您仍然可以找到文件名与其INODE之间的映射。
If the INODE has not been overwritten yet, you can even find the file's metadata,
including permissions and data blocks.
如果INODE还没有被覆盖,您甚至可以找到文件的元数据,包括权限和数据块。
Therefore, even though the file has been deleted, it is still possible
to recover the file content if the data blocks are not overwritten.
因此,即使文件已经被删除,如果数据块没有被覆盖,仍然可以恢复文件内容。
However, for EXT3 or EXT4 file systems, we are not that lucky.
但是,对于EXT3或EXT4文件系统,我们就没那么幸运了。
First of all, the file size in INODE is set to zero.
首先,INODE中的文件大小被设置为0。
More destructively, the data block information in the INODE is cleared upon file deletion,
which means we are not able to link the INODE
to the file content even if the content is still intact.
更具破坏性的是,INODE中的数据块信息在文件删除时被清除,这意味着即使内容仍然完整,我们也无法将INODE链接到文件内容。
Data recoveries from EXT3 and 4 file systems are harder, but may still be possible.
从EXT3和4文件系统恢复数据比较困难,但仍然有可能。
And there are readings about this in the additional resources section of this unit.
本单元的额外资源部分有相关的阅读资料。
As of now, I hope you are convinced why we care about deletion.
到目前为止,我希望您能理解我们为什么要关注删除。
Deleted data still exists on disk and are recoverable until space is overwritten.
删除的数据仍然存在于磁盘上,并且可以恢复,直到空间被覆盖。
In addition, larger disks are less likely
to overwrite formerly used space unless the disk blocks are wiped after file is deleted.
此外,较大的磁盘不太可能覆盖以前使用的空间,除非文件删除后磁盘块被擦除。
Both Linux UNIX commands SRM or shred will intentionally destroy file content.
Linux UNIX命令SRM或shred都将故意销毁文件内容。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
