FG

Understanding ext2 FileSystem

Freshabout 19 hours ago
Mar 15, 2026646 views
Confidence Score0%
0%

Problem

I am trying to find deleted inodes in the ext2 filesystem. And this is the approach that I am taking. However I feel that I am doing something wrong. I am first seeking 1024 bytes to the start of the superblock I get to know that blocksize is 1024 bytes, so the group descriptor table starts at offs…

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Correctly Locate Deleted Inodes in ext2 Filesystem

Medium Risk

The issue arises from incorrect calculations or assumptions regarding the layout of the ext2 filesystem. Specifically, the starting point for accessing the group descriptor table and the subsequent inodes may be miscalculated, leading to an inability to find deleted inodes. The group descriptor table starts at the superblock offset plus the size of the superblock, and each group descriptor entry must be correctly indexed based on the block size.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Identify Superblock Location

    Seek to the superblock location at offset 1024 bytes. This is the standard location for the superblock in an ext2 filesystem. Read the superblock to determine the block size and the number of block groups.

    bash
    dd if=/dev/sdX bs=1024 count=1 | hexdump -C
  2. 2

    Calculate Group Descriptor Table Location

    Using the block size obtained from the superblock, calculate the offset for the group descriptor table. The group descriptor table starts immediately after the superblock and is located at the offset of the superblock size plus the number of block groups times the size of each group descriptor.

    python
    GROUP_DESC_OFFSET = SUPERBLOCK_OFFSET + (BLOCK_SIZE * 2)
  3. 3

    Read Group Descriptor Table

    Read the group descriptor table to find the location of inodes. Each group descriptor contains information about the inode table, including the starting block of the inode table and the number of inodes.

    bash
    dd if=/dev/sdX bs=BLOCK_SIZE skip=GROUP_DESC_OFFSET count=1 | hexdump -C
  4. 4

    Locate Inodes and Deleted Inodes

    Using the information from the group descriptor, seek to the inode table location. Read the inodes and check for the deleted inodes by examining the inode status. Deleted inodes will typically have a specific flag set.

    bash
    dd if=/dev/sdX bs=BLOCK_SIZE skip=INODE_TABLE_OFFSET count=INODE_COUNT | hexdump -C
  5. 5

    Verify Deleted Inodes

    After identifying potential deleted inodes, verify their status by checking the inode structure. Ensure that the inode's mode indicates it is deleted (often a specific bit in the mode field).

    bash
    if [ (inode.mode & 0xF000) == 0x0000 ]; then echo 'Deleted inode found'; fi

Validation

To confirm the fix worked, check the output of the inode reading step for any entries marked as deleted. Compare the results with known deleted inodes to ensure accuracy.

Sign in to verify this fix

Environment