|
Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode |
Contents |
The inode is the central management structure an every file in a ext files system. All properties of the file, with the exception of the inode number and file name are stored in an inode. The inode number is an index number for the inode data within the inode table of the file system. One or more file names are in the directory data, always together with an associated unique inode number. Most Linux users known the properties of a file as they are stored in the inode. The output format of ext4magic is presented in the next section.
Data blocks of a file are referenced by an inode. Without an inode a file cannot be found on the disk. When you delete a file the references in the inode are cleared which makes recovery of deleted files difficult for ext3 and ext4 file system.
The inode table is part of the file system meta data
and for every change a copy of the data block will be written to
the journal.
The typical inode size was originally 128 Byte and
keeps most of the information. Today an inode size of 256 Bytes is
commonly used. If a file system size is 4 KByte and 256 Bytes are
used for inodes, 16 inode are contained in a file system block. The
file system writes a whole file system block to the disk which
means the whole inode block is copied to the journal, even if only
a single inode has changed. In the journal there are many inode
block copies. ext4magic uses them to recover deleted files.
There exists a Linux command stat which also allows to query information about inodes:
ROBI@LINUX:~ # stat /boot/message
File: `/boot/message'
Size: 421376 Blocks: 830 IO Block: 1024 regular file
Device: 811h/2065d Inode: 22 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2009-12-04 01:13:51.000000000 +0100
Modify: 2009-12-04 01:13:51.000000000 +0100
Change: 2009-12-04 01:13:51.000000000 +0100ext4magic output has following format:
ROBI@LINUX:~ # ext4magic /dev/sdb1 -f "message" -x
Filesystem in use: /dev/sdb1
Dump internal Inode 22
Status: Inode is Allocated
Inode: 22 Type: regular Mode: 0644 Flags: 0x0
Generation: 1797523886 Version: 0x00000000
User: 0 Group: 0 Size: 421376
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 830
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1259885631 -- Fri Dec 4 01:13:51 2009
atime: 1259885631 -- Fri Dec 4 01:13:51 2009
mtime: 1259885631 -- Fri Dec 4 01:13:51 2009
BLOCKS:
(0-11):531-542, (IND):543, (12-267):544-799, (DIND):800, (IND):801, (268-411):802-945
TOTAL: 415ext4magic displays more details in a different format compared to the format of "stat". There is a major difference in the way to specify the filename as an argument. For stat the path for the filename starts from the root of the entire Linux system (e.g. /boot). For ext4magic the path of the filename starts from the root of the filesystem (always inode 2) (e.g. / when /boot is mounted on a separate partition).
ROBI@LINUX:~ # stat /boot
File: `/boot'
Size: 1024 Blocks: 2 IO Block: 1024 directory
Device: 811h/2065d Inode: 2 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-04-01 21:39:03.000000000 +0200
Modify: 2010-03-13 12:05:22.000000000 +0100
Change: 2010-03-13 12:05:22.000000000 +0100
ROBI@LINUX:~ # ext4magic /dev/sdb1 -f / -x
Filesystem in use: /dev/sdb1
Dump internal Inode 2
Status: Inode is Allocated
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000
User: 0 Group: 0 Size: 1024
File ACL: 0 Directory ACL: 0
Links: 4 Blockcount: 2
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1268478322 -- Sat Mar 13 12:05:22 2010
atime: 1270150743 -- Thu Apr 1 21:39:03 2010
mtime: 1268478322 -- Sat Mar 13 12:05:22 2010
BLOCKS:
(0):517
TOTAL: 1
2 d 755 (2) 0 0 1024 13-Mar-2010 12:05 .
2 d 755 (2) 0 0 1024 13-Mar-2010 12:05 ..
11 d 700 (2) 0 0 12288 3-Dec-2009 21:20 lost+found
28673 d 755 (2) 0 0 1024 13-Mar-2010 12:05 grub
22 _ 644 (1) 0 0 421376 4-Dec-2009 01:13 message
14 l 777 (7) 0 0 1 3-Dec-2009 23:39 boot
23 _ 644 (1) 0 0 1236 3-Dec-2009 02:52 boot.readme
19 l 777 (7) 0 0 29 13-Mar-2010 12:04 vmlinuz
20 l 777 (7) 0 0 28 13-Mar-2010 12:05 initrd
21 _ 644 (1) 0 0 6757618 13-Mar-2010 12:05 initrd-2.6.31.12-0.1-desktop
15 _ 644 (1) 0 0 1512469 28-Jan-2010 16:35 System.map-2.6.31.12-0.1-desktop
16 _ 644 (1) 0 0 168515 28-Jan-2010 16:50 symvers-2.6.31.12-0.1-desktop.gz
17 _ 644 (1) 0 0 4098688 28-Jan-2010 16:35 vmlinuz-2.6.31.12-0.1-desktop
13 _ 600 (1) 0 0 512 4-Dec-2009 01:13 backup_mbr
< 0> 0 (1) 0 0 0 initrd-2.6.31.8-0.1-desktop
< 0> 0 (1) 0 0 0 System.map-2.6.31.8-0.1-desktop
< 0> 0 (1) 0 0 0 symvers-2.6.31.8-0.1-desktop.gz
< 0> 0 (1) 0 0 0 vmlinuz-2.6.31.8-0.1-desktop
< 0> 0 (1) 0 0 0 config-2.6.31.8-0.1-desktop
18 _ 644 (1) 0 0 105422 28-Jan-2010 16:50 config-2.6.31.12-0.1-desktopext4magic output includes a list of the directory contents. Output of "ls -il "' command on Linux contains similar directory information.
ROBI@LINUX:~ # ls -il /boot
total 12833
15 -rw-r--r-- 1 root root 1512469 Jan 28 16:35 System.map-2.6.31.12-0.1-desktop
13 -rw------- 1 root root 512 Dec 4 01:13 backup_mbr
14 lrwxrwxrwx 1 root root 1 Dec 3 23:39 boot -> .
23 -rw-r--r-- 1 root root 1236 Dec 3 02:52 boot.readme
18 -rw-r--r-- 1 root root 105422 Jan 28 16:50 config-2.6.31.12-0.1-desktop
28673 drwxr-xr-x 2 root root 1024 Mar 13 12:05 grub
20 lrwxrwxrwx 1 root root 28 Mar 13 12:05 initrd -> initrd-2.6.31.12-0.1-desktop
21 -rw-r--r-- 1 root root 6757618 Mar 13 12:05 initrd-2.6.31.12-0.1-desktop
11 drwx------ 2 root root 12288 Dec 3 21:20 lost+found
22 -rw-r--r-- 1 root root 421376 Dec 4 01:13 message
16 -rw-r--r-- 1 root root 168515 Jan 28 16:50 symvers-2.6.31.12-0.1-desktop.gz
19 lrwxrwxrwx 1 root root 29 Mar 13 12:04 vmlinuz -> vmlinuz-2.6.31.12-0.1-desktop
17 -rw-r--r-- 1 root root 4098688 Jan 28 16:35 vmlinuz-2.6.31.12-0.1-desktopFor details of the format ext4magic directory output see Directory page.
There is another special feature included in the listing of the inode: All data blocks an inode addresses are listed.
....
BLOCKS:
(0-11):531-542, (IND):543, (12-267):544-799, (DIND):800, (IND):801, (268-411):802-945
TOTAL: 415The output should be read as follows:
File blocks 0 to 11 of this file are in the file system data blocks 531-542
File system block 543 indirectly (IND) refers to file blocks 12 to 267 which are located in file system data blocks 544-799
File system block 800 addressed double indirectly (DIND) the indirectly addressed file system block 801 which refers to file blocks 268-411 located in file system blocks 802-945.
This is the classic block addressing how they are using by ext2 and ext3.
The extents of ext4 files are displayed in a similar format:
Level Entries Logical Physical Length Flags
0/ 1 1/ 1 0 - 16703 2791415 16704
1/ 1 1/ 9 0 - 2047 1826816 - 1828863 2048
1/ 1 2/ 9 2048 - 4095 1837056 - 1839103 2048
1/ 1 3/ 9 4096 - 6143 2463744 - 2465791 2048
1/ 1 4/ 9 6144 - 8191 2791424 - 2793471 2048
1/ 1 5/ 9 8192 - 10239 2795520 - 2797567 2048
1/ 1 6/ 9 10240 - 12287 2805760 - 2807807 2048
1/ 1 7/ 9 12288 - 14335 2859008 - 2861055 2048
1/ 1 8/ 9 14336 - 16383 2852864 - 2854911 2048
1/ 1 9/ 9 16384 - 16703 2876537 - 2876856 320This is the exact list of the various extents of ext4 file which consists 16704 data blocks.
This information is usually not needed and can create a lengthy output for large files. For this reason, they are only displayed by ext4magic with the additional command line option "-x".
If it is necessary to view the contents of such a data block see the following example. The first block of the ext3 file is the same as in the previous ext3 example (file system block 531).
ROBI@LINUX:~ # ext4magic /dev/sdb1 -B 531
Filesystem in use: /dev/sdb1
Dump Filesystemblock 531 Status: Block is Allocated
0000: c7 71 13 08 62 ae a4 81 8f 01 8f 01 01 00 00 00 .q..b...........
0010: 18 4b 3f 54 0a 00 01 00 f3 fb 31 36 78 31 36 2e .K?T......16x16.
0020: 66 6e 74 00 06 8e 82 d2 e0 07 00 00 13 04 12 20 fnt............
0030: 00 60 ed 04 21 00 e0 ed 04 22 00 e0 ee 04 23 00 .`..!...."....#.
0040: a0 ef 04 24 00 a0 f4 04 25 00 80 f9 04 26 00 80 ...$....%....&..
0050: 01 05 27 00 c0 07 05 28 00 60 08 05 29 00 e0 0b ..'....(.`..)...
0060: 05 2a 00 60 0f 05 2b 00 a0 12 05 2c 00 20 14 05 .*.`..+....,. ..
0070: 2d 00 80 15 05 2e 00 20 16 05 2f 00 a0 16 05 30 -...... ../....0
0080: 00 60 1a 05 31 00 60 1f 05 32 00 60 22 05 33 00 .`..1.`..2.`".3.
0090: 40 26 05 34 00 a0 2a 05 35 00 a0 2e 05 36 00 80 @&.4..*.5....6..
00a0: 32 05 37 00 a0 37 05 38 00 40 3b 05 39 00 20 40 2.7..7.8.@;.9. @
00b0: 05 3a 00 40 45 05 3b 00 00 46 05 3c 00 00 48 05 .:.@E.;..F.<..H.
00c0: 3d 00 e0 4b 05 3e 00 40 4d 05 3f 00 20 51 05 40 =..K.>.@M.?. Q.@
00d0: ..................
........The output format is similar to the one created by Linux command "hexdump -C"
In Linux the following timestamps atime , mtime , ctime are used.
With ext4magic more timestamps are displayed in the inode, the dtime which means the time when that inode data has been deleted. On ext4 file systems there exists also crtime which is the time when that inode was reused for a new file. So crtime is the actual file creation time of the file.
3 time stamps are always displayed in each inode: "dtime" and "crtime" may be missing if they are not present on the inode.
ctime: 1274512877:2933655396 -- Sat May 22 09:21:17 2010 atime: 1274512899:3413691564 -- Sat May 22 09:21:39 2010 mtime: 1274512877:2933655396 -- Sat May 22 09:21:17 2010 crtime: 1259871665:0000000000 -- Thu Dec 3 21:21:05 2009
The first number, for example. "1274512877" after the type of the timestamp is the time in seconds (UTC), this date format is used in ext4magic for the input options. It is therefore possible to use the timestamps directly from the output with copy & paste. Other ext4magic functions contain the second format in their output. That way a manual conversion of time input parameters for ext4magic with the command date can be cirumvented.
The examples on this page used current inodes of the file system. It's also possible to print out all or a subset of inode copies from the journal. Options on the command line, which open the journal will output the inode copies of the journal. In this example it's the "-T" option. Other options are "-J", "-a <time>" or "-b <time>".
ROBI@LINUX:~ # ext4magic /home/rob/test/test.iso -I2 -Tx | sed -ne '/^Dump/,/^BLOCKS/p'
Dump Inode 2 from journal transaction 24
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000000
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 11 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1260473457:0000000000 -- Thu Dec 10 20:30:57 2009
atime: 1260473464:0000000000 -- Thu Dec 10 20:31:04 2009
mtime: 1260473457:0000000000 -- Thu Dec 10 20:30:57 2009
crtime: 1260470173:0000000000 -- Thu Dec 10 19:36:13 2009
Size of extra inode fields: 28
BLOCKS:
Dump Inode 2 from journal transaction 25
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000000
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 11 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1260473478:0000000000 -- Thu Dec 10 20:31:18 2009
atime: 1260473478:0000000000 -- Thu Dec 10 20:31:18 2009
mtime: 1260473478:0000000000 -- Thu Dec 10 20:31:18 2009
crtime: 1260470173:0000000000 -- Thu Dec 10 19:36:13 2009
Size of extra inode fields: 28
BLOCKS:
Dump Inode 2 from journal transaction 26
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000000
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 11 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1260473508:0000000000 -- Thu Dec 10 20:31:48 2009
atime: 1260473513:0000000000 -- Thu Dec 10 20:31:53 2009
mtime: 1260473508:0000000000 -- Thu Dec 10 20:31:48 2009
crtime: 1260470173:0000000000 -- Thu Dec 10 19:36:13 2009
Size of extra inode fields: 28
BLOCKS:
Dump Inode 2 from journal transaction 29
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000000
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 3 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1260473770:0000000000 -- Thu Dec 10 20:36:10 2009
atime: 1260473772:0000000000 -- Thu Dec 10 20:36:12 2009
mtime: 1260473770:0000000000 -- Thu Dec 10 20:36:10 2009
crtime: 1260470173:0000000000 -- Thu Dec 10 19:36:13 2009
Size of extra inode fields: 28
BLOCKS:
Dump Inode 2 from journal transaction 47
Inode: 2 Type: directory Mode: 0755 Flags: 0x0
Generation: 0 Version: 0x00000000:00000000
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 3 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1272100594:0000000000 -- Sat Apr 24 11:16:34 2010
atime: 1272048604:0000000000 -- Fri Apr 23 20:50:04 2010
mtime: 1272100594:0000000000 -- Sat Apr 24 11:16:34 2010
crtime: 1260470173:0000000000 -- Thu Dec 10 19:36:13 2009
Size of extra inode fields: 28
BLOCKS:This are journal copies of inode 2 (root directory) of a filesystem image, The directory data has been truncated here with "sed" in the pipe.
Previous output shows the individual copies of the inode which are listed in the journal. Depending on how many copies of an inode reside in the journal, the history of a file can be pursued or it can be appreciated that one inode was used for different files during it's life time.
Internally ext4magic always assume that inode copies with the same ctime, the same file size and the same number of links are identical and displays them not multiple. For example, such identical copies are written, if only the atime has changed, or because a other inode in the same inode block has changed.
Each of these inode copies from a file which can be found in the journal and which has not set the dtime, can be used by ext4magic to recover a copy of this file with the contents it had at exactly this point in time. But this is true only if the data blocks addressed by this inode was not changed in the meantime. Which inode will be used for a recovery depends on the recover options and time options on the extmagic command line. In very difficult cases, individual file versions can be selected directly by selecting a specific inode copy with the journal transaction number.
|
Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode |