EXT File System Notes

Overview

EXT (Extended File System): First Linux FS (1992), 2GB max
Evolution: EXT2 → EXT3 → EXT4
Key Components:
- Superblocks: FS metadata
- Inodes: File metadata
- Block Groups: Logical grouping of blocks
- Bitmaps: Track block/inode usage

Version Comparison

Feature	EXT2	EXT3	EXT4
Max File Size	2 TiB	2 TiB	16 TiB
Max Volume Size	32 TiB	32 TiB	1 EiB
Journaling	No	Yes (metadata)	Yes (with checksums)
Compatibility	N/A	EXT2 mountable	EXT2/3 mountable

Key Structures

Superblock (`ext4_super_block`)

struct ext4_super_block {
  __le32  s_inodes_count;       // Inodes count
  __le32  s_blocks_count_lo;    // Blocks count
  __le32  s_log_block_size;     // Block size (2^(10 + value))
  // ... other members
};

Inspection Commands

# Hexdump superblock (block size at offset 0x18)
sudo dd if=/dev/loop0 bs=1024 count=1 skip=1 | hexdump -C
 
# Human-readable superblock info
sudo dumpe2fs /dev/loop0

Inode (`ext4_inode`)

struct ext4_inode {
  __le16  i_mode;        // File type/permissions
  __le32  i_size_lo;     // File size
  __le32  i_ctime;       // Inode change time
  __le32  i_block[15];   // Data block pointers
  // ... timestamps, ownership, etc
};

Inspection Commands

# View file metadata (including inode)
stat filename.txt
 
# Inspect inode via debugfs
sudo debugfs /dev/loop0
debugfs> stat <11>  # Replace with inode number

Example Output:

Inode: 11   Type: regular    Mode:  0755
Size: 9          Links: 1
ctime: 0x677bc680 -- Mon Jan  6 12:03:12 2025
...
EXTENTS: (0):24577

Forensic Techniques

File Recovery

Find Content Offset:

sudo strings -t d /dev/loop0 | grep "AAAAAAAA"
# Output: 100671488 AAAAAAAA

Calculate Block:

echo $((100671488 / 4096))  # → 24578

Extract Block:

sudo dd if=/dev/loop0 bs=4096 skip=24578 count=1 of=/tmp/recovered_file

Key Commands Cheatsheet

Command	Purpose
`sudo lsblk`	List block devices
`sudo dumpe2fs /dev/XXX`	Show detailed FS info
`sudo debugfs /dev/XXX`	Interactive FS inspector
`stat file.txt`	Display inode metadata
`sudo chmod 755 file`	Modify permissions (updates ctime)

Timestamps (Inode)

atime: Last access
mtime: Last modification
ctime: Last metadata change
crtime: Creation time

Note: Use debugfs stat <inode> to view all timestamps in raw format.

Recent Notes

EXT File System Notes

Setup VPN on Raspberry Pi

Finding SSRF in request points to a local IP

Explorer

EXT File System Notes

EXT File System Notes

Overview

Version Comparison

Key Structures

Superblock (`ext4_super_block`)

Inspection Commands

Inode (`ext4_inode`)

Inspection Commands

Forensic Techniques

File Recovery

Key Commands Cheatsheet

Timestamps (Inode)

Explorer

Graph View

Table of Contents

Recent Notes

EXT File System Notes

Setup VPN on Raspberry Pi

Finding SSRF in request points to a local IP

Explorer

EXT File System Notes

EXT File System Notes

Overview

Version Comparison

Key Structures

Superblock (ext4_super_block)

Inspection Commands

Inode (ext4_inode)

Inspection Commands

Forensic Techniques

File Recovery

Key Commands Cheatsheet

Timestamps (Inode)

Explorer

Graph View

Table of Contents

Superblock (`ext4_super_block`)

Inode (`ext4_inode`)