Linux File System

Module Objectives
 History of Linux
 Linux File System
 Linux File System Layout
 Structure of ExtX File system
 File Deletion example

10 November 2023 2
 LinuxOS

 Linux is Open Source Operating system for

computers, servers, mobile devices etc

10 November 2023 3
 History
 Linux is a Free and Open-Source Operating system
 Free and Open-Source Software
 Operating System Kernel released by Linus Torvalds
 Published under GNU General Public License

Open-source software Free software

The copyright holder provides the
• The freedom to run the
rights to study, change, and
software for any purpose
distribute the software to anyone
• Freedom to study
and for any purpose.
• Freedom to change
• Freedom to distribute the
software

10 November 2023 4
 Linux Flavour/Distros

10 November 2023 5
 Linux File System

 The extended file system or ext was the first file system created
specifically for the linux operating system

 Ext by Remy Card.

 Journaling in ext3

10 November 2023 6
 Filesystem

10 November 2023 7
 Linux File System Contents

10 November 2023 8
 Structure of ExtX File System
MBR Partition1 Partition2 Partition3 Partition4

BootSector Block Block Block Block Block

Group 1 Group 2 Group 3 Group 4 Group N

• Boot sector : optional reserver area

• Block Groups: collection of blocks
• Block: A block is a collection of sectors.
• All block group except last contain same number of blocks
• The block size 1024 or 2048 or 4096 bytes
• Block Size for Ext2 and 3 can be 1Kb, 2Kb, 4Kb, 8Kb
• Block Size for Ext4 can be 1Kb to 64Kb
 A comparison

Ntfs Linux

Groups of sectors Cluster Block

Information about all Mft Inode table

the files

10 November 2023 10
 What does a Block Group contain ?
Super Block

Boot Sector
MBR Group Descriptor
Block Group 0 table
Partition1
Block Group 1
Partition2 Block bitmap
Block Group 2
Inode bitmap
Partition3
Block Group 3
Inode table
Partition4
Block Group N
Datablock

10 November 2023 11
 What does a Block Group contain ?
its the metadata of the file system.
Block group number ,block
The superblock size,blocks per group,inodes per
group,free blocks,free inodes
GDT Details of group.

Shows block allocation , used at

Blocks Bitmap block allocation and deallocation
time
Inode Bitmap Inode allocation , used during inode
allocation and deallocation
Inode Table Collection of inodes that gives
metadata of each file.
Information about all the files
Datablock Contains data

10 November 2023 12
 What does inode table contain?

10 November 2023 13
 inode

• An inode is an entry in inode table, containing

information ( the metadata ) about a regular file
and directory.
• The inode table is used to keep track of every
files, their location, size, type and access rights
are all stored in inodes.
• Each inode takes 128 bytes to represent
metadata of files
• There is one inode table per block group
• There is no filename stored in the inode itself,
names are contained in directory files only.
 Data block pointers
– Total 15blocks
– The first 12 blocks are direct blocks

10 November 2023 14
 Directory entries

• A directory entry data structure consists of

• An inode number(i_inode) relating to a file,
• The length of the current entry(rec_len)
• The length of the file name(name_len)
• A field that identifies the type of file(file_type)

10 November 2023 15
 Reserved inodes
 Inode numbers
 First 11 inodes are reserved.
 Inode 1 contains a list of bad blocks in the file system.
 Inode 2 is the root inode and Inode 5 is the boot loader
inode.
 Inode 8 is for file system journaling(Ext3).
 3,4,6,7,9,10 are foundations for future enhancements.
 User files/directories stored from inode 12 onwards.

10 November 2023 16
 Locating a file
 /home/ealtieri/hello.txt.

10 November 2023 17
 What happens when a file is deleted?
 File's data blocks are marked as available(0) in its block
bitmap.
 File's inode are marked as available(0) in its inode bitmap.
 Block addresses are set to null in ext3& ext4 but retained in
ext2.
 The deleted time is added.
 The inode number is made free in the directory entry of ext2.
 In ext3 & ext4 the inode number is retained in the directory
entry.

 Note: an inode is deleted only when its links count reaches 0

else only the link is deleted.

10 November 2023 18
 File deletion

Block addresses
are retained in
ext2.

Block addresses are set to null in

ext3& ext4
Due to zeroing of size, and block
pointers in inode, the user cannot
accurately detect the starting block of
a data, and ending block of a data.

10 November 2023 19
 Practicals
 OS :Helix
 Create partition
 Format it with ext2 filesystem
 Mount the partition to a mount point
 Use sleuthkit autopsy tool to analyse an ext2
partition

10 November 2023 20

 Create partition
 Format it with ext2
filesystem
 Mount the partition to a
mount point
 Use sleuthkit autopsy
tool to analyse an ext2
partition
10 November 2023
Practicals
 Create partition
– sudo fdisk /dev/sda
 Format a Partition in Linux
– sudo mkfs.ext2 /dev/sda
 To view partition table
– sudo fdisk –l
 Create a mountpoint (Mountpoints are directories
were filesystems are mapped)
– sudo mkdir ptc
 Mount the partition to a mount point
– sudo mount /dev/sda1 ptc.
 Now move to ptc directory and create some files
 Use sleuthkit autopsy tool to analyse an ext2
partition
21
10 November 2023 22