Learn All About Linux File Systems

Learn All About Linux File Systems

Leave a Comment / CHFI / By

In this blog explain Linux File System Architecture, File system Hierarchy atandard (FHS), Extended File System (EXT), Second Extended File System (EXT2), Second Extended File System (EXT2) (Cont’d), Second Extended File System (EXT2) (Cont’d) etc…

Linux OS uses different file systems to store the data. As the investigators may encounter the attack source or victim systems to be running on Linux, they should have comprehensive knowledge regarding the storage methods it employs. The following section will provide you a deep insight about the various Linux file systems and their storage mechanisms.

Linux File System Architecture

The Linux file system architecture consists of two parts namely:

  • User Space: The protected memory area where the user processes run and this area contains the available memory.
  • Kernel Space: The memory space where the system supplies all kernel services through kernel processes. The users can access this space through the system call only. A user process turns into kernel process only when it executes a system call.

Related Product : Computer Hacking Forensic Investigator | CHFI

The GNUC Library (glibc) sits between the User Space and Kernel Space and provides the system call interface that connects the kernel to the user-space applications.

The Virtual file system (VFS) is an abstract layer, residing on top of a complete file system. It allows client applications to access various file systems. Its internal architecture consists of a dispatching layer which provides file system abstraction and numerous caches to enhance the file system operations performance.

The main objects managed dynamically in the VES are the dentry and inode objects in cached manner to enhance file system access speed. Once a user opens a file, the dentry cache fills with entries that represent the directory levels which in turn represent the path. The system also creates an inode for the object which represents the file. The system develops a dentry cache using a hash table and allocates the dentry cache entries from the dentry_cache slab allocator. The system uses a least-recently-used (LRU) algorithm to prune the entries when the memory is scarce.

The inode cache acts as two lists and a hash table for quick look up. The first list defines the used inodes and the unused ones are positioned in the second list. The hash table also stores the used inodes.

Device drivers are pieces of code, linked with every physical or virtual device and help the OS in managing the device hardware. Functions of the device drivers include setting up hardware, getting the related devices in and out of services, getting data from hardware and giving it to the kernel, transferring data from the kernel to the device, and identifying and handling device errors.

Filesystem Hierarchy atandard (FHS)

Linux is a single hierarchical tree structure, representing the file system as one single entity. It supports many different file systems. It implements a basic set of common concepts, developed for UNIX. Some of the Linux file system types are minix, Filesystem Hierarchy Standard (FHS), ext, ext2, ext3, xia, msdos, umsdos, vfat, /proc, nfs, iso 9660, hpfs, sysv, smb, and ncpfs. Minix was Linux’s first file system.

The following are some of the most popular file systems:

Filesystem Hierarchy Standard (FHS)

The File system Hierarchy Standard (FHS) defines the directory structure and its contents in Linux and Unix-like operating systems. In the FHS, all files and directories are present under the root directory (represented by /).

Extended File System (EXT)

The Ext file system, released in April 1992, is the first file system developed for Linux. It came as an extension of the Minix file system and to overcome some of its limitations such as 64 MB partition size and short file names. The Ext file system provides a maximum partition size of 2 GB and a maximum file name size of 255 characters. The major limitation of this file system was that it did not offer support for separate access, inode modification, and data modification timestamps. It kept an unsorted list of free blocks and inodes, and fragmented the file system.

This has a metadata structure inspired by Unix File System (UFS). Other drawbacks of this file system include only one timestamp and linked lists for free space, which resulted in fragmentation and poor performance. The second extended file system (Ext2) replaced it.

Second Extended File System (EXT2)

Remy Card developed the second extended file system (ext2) as an extensible and powerful file system for Linux. Being the most successful file system so far in the Linux community, Ext2 is the basis for all of the currently shipping Linux distributions.

Also Read : New Technology File System (NTFS) – an Overview

The development of ext2 file system depends on the principle that the data storage is in the form of data blocks of the same length and, Although the length can vary between different ext2 file systems, the block size of an ext2 file system sets during its creation, The system rounds up every file size to an integral number of blocks. If the block size is 1024 bytes, then a file of 1025 bytes will occupy two 1024 byte blocks. Not all of the blocks in the file system hold data; some must contain the information that describes the structure of the file system. Ext2 defines the file system topology by describing each file in the system with an inode data structure. An inode describes the blocks, which the data within a file occupies, as well as the access rights of the file, the file modification times, and the type of the file. A single inode describes every file in the ext2 file system and each inode has a single unique number identifying it. inode tables store all the inodes for the file system. Ext2 directories are simply special files (themselves described by inodes) that contain pointers to the modes of their directory entries,

Superblock

This block stores information about the size and shape of the Ext2 file system. This information enables the file system manager to use and manage the file system. Generally, the system reads only the Super block in Block Group 0 when the user mounts the file system. But every Block Group has a duplicate copy if the file system gets corrupted.

Superblock holds the following information:

  • Magic Number: It allows the mounting software to verify the Superblock for the EXT2 file system. For the present EXT2 version, it is 0xEF53.
  • Revision Level: The major and minor revision levels allow the mounting code to

determine whether or not this file system supports features that are only available in particular revisions of the file system. There are also feature compatibility fields that help the mounting code to determine which new features can safely be used on this file system.

  • Mount Count and Maximum Mount Count: Together these allow the system to determine if it needs to fully check the file system. The mount count increments each time the system mounts the file system and displays the warning message of “maximal mount count reached, running e2fsck is recommended” when it equals the maximum mount count.
  • Block Group Number: It is the Block Group number containing the Superblock copy.
  • Block Size: It informs about the size of the block for the file system in bytes.
  • Blocks per Group: A fixed number that mentions the number of blocks in a group.
  • Free Blocks: It mentions about the number of free blocks in the file system.
  • Free Inodes: It mentions about the number of free (nodes in the file system.
  • First [node: It is an inode number of the first inode of the file system.

Group Descriptor

Every Group Descriptor has the following data:

  • Blocks Bitmap: It is the block number of the block allocation bitmap for the Block Group.

It is used in block allocation and deallocation.

  • Inode Bitmap: It is the block number of the inode allocation bitmap for the Block Group, It is used in inode allocation and deallocation.
  • Inode Table: it is the block number of the starting block for the inode table for the Block Group.
  • Free blocks count, Free Inodes count, and Used directory count: AM the group descriptors together make the group descriptor table. Every Blocks Group has the whole group descriptors table.

Second Extended File System (EXT2) (Cont’d)

Ext2 Inode

In the ext2 file system, the inode is the basic building block. One and only one inode describes every file and directory in the file system. The file system stores the ext2 inodes for each block group in the inode table together with a bitmap that allows the system to keep track of the allocated and unallocated inodes.

It contains the following fields:

  • Mode: This holds two pieces of information: what this inode describes and the permissions that users have to it. For ext2, an inode can describe one file, directory, symbolic link, block device, character device, or FIFO,
  • Owner information: This is information about the users and group identifiers of the owners of a file or directory. It allows the file system to correctly allow the right sort of accesses,
  • Size: This field holds the size of the file in bytes.
  • Timestamps: This shows the inode creation time and the last modification time.
  • Data blocks: Data blocks are the pointers to the blocks containing the data that this inode is describing. The first 12 are pointers to the physical blocks containing the data described by this inode, and the last 3 pointers contain more and more levels of indirection. For example, the double indirect blocks pointer points at a block of pointers to blocks of pointers to data blocks.

Second Extended File System (EXT2) (Cont’d)

In the ext2 file system, directories are special files used to create and hold access paths to the files in the file system. A directory file is a list of directory entries, each one containing the following information:

  • Inode: The mode for this directory entry. This is an index into the array of inodes held in the inode table of the block group.
  • Name length: The length of this directory entry in bytes.
  • Name: The name of this directory entry.

Third Extended File System (EXT3)

Developed by Stephen Tweedie in the year 2001, the third extended file system (ext3) is a journaling file system used in the GNU/Linux operating system. It is the enhanced version of the ext2 file system. The main advantage of this file system is journaling that improves reliability of the computer system. It can be mounted and used as an ext2 file system. It can make use of all of the previous programs developed in the ext2 file system.

A maximum single Ext3 file size ranges between 16 GB to 2 TB, and the whole ext3 file system size ranges between 2 TB to 32 TB. Ext3 also offers a better data integrity. It makes sure that the data is consistent with the file system state. Ext3 is faster than ext2 because the journaling feature optimizes hard disk drive (HDD) head motion. it also gives a choice of three journaling modes, which provide trade-offs between maximizing data integrity and optimizing speed, Ext3 is also highly reliable. Ext3 also has the ability to convert ext2 partitions to ext3 and vice-versa without the need for repartitioning and data backup.

Command to convert ext2 to ext3 file system: # /sbin/tune2fs -j <partition-name>

For example, if the user needs to convert an ext2 file system located on the partition idevihda5 to an ext3 file system, he or she should use the following command: # /sabin/tune2fs -j idev/hda5

Features of Ext3

  • Data integrity: It provides stronger data integrity for events that occur clue to computer system shutdowns. It allows the use to choose the type and level of protection for the received data.
  • Speed: As the ext3 file system is journaling the file system, it has higher throughput in most cases than ext2. The user can choose the optimized speed from three different journaling modes.
  • Easy transition: The user can easily change the file system from ext2 to ext3 and increase the performance of the system by using the journaling file system without reformatting.

Third Extended File System (EXT3) (Cont’d)

File System Journaling

File system journaling works as follows:

  • It records updates to the file system, which helps in recovering the file system quickly in case of a system crash
  • The ext3 journal uses inode 8, and the super block contains its location
  • The first block in the ext3 journal is for the super block and contains genera’ information

Fourth Extended File System (EXT4)

Ext4 is a journaling file system, developed as the replacement of commonly used ext3 file system, offers better scalability and reliability for supporting large file systems of 64 bit machines in order to meet the increasing disk capacity demands, Ext4 enables write barriers by default and allows users to mount an ext3 file system as an ext4 file system. The file system supports Linux Kernel v2.6.19 onwards.

Key Features

  • File System Size: Supports maximum individual file sizes up to 16 TB and overall volumes of about size 1 EiB (exbibyte).
  • Extents: Replaces block mapping scheme found in ext2 and ext3 in order to increase performance and reduces fragmentation.
  • Delayed allocation: Improves performance and reduces fragmentation by effectively allocating larger amounts of data at a time by delaying allocation till the system flushes data to the disk.
  • Multiblock allocation: Allocates multiple files contiguously on disks thus reducing the work of calling the block allocator and optimizing the allocation of memory.
  • Increased file system checking (fsck) speed: Marks unallocated block groups and sections and skips the marked elements while performing checks. Thus, supports faster file system checking.
  • Journal check summing: Uses checksums in the journal to improve reliability.
  • Persistent pre-allocation: The file system can pre-allocate the on-disk space for a file, by writing zeroes to it during creation.
  • Improved Timestamps: Provides timestamps measured in nanoseconds and comes with support for date-created timestamps.
  • Backward compatibility: The file system is backward compatible and allows the user to mount ext3 and ext2 as ext4.

Questions related to this topic

  1. What are different file systems in Linux?
  2. What is Linux file system?
  3. How many file systems are there in Linux?
  4. How does Linux support the file system?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment