SNAP Operating System File Recovery Through The Super Block
Recovering a single file from a SNAP OS Part 2
Last week we discussed how to find the file name on a SNAP OS file system. Using a sector editor we searched the hard disk drive for the file name. Once we found the file name I broke down the on disk data structure format for a directory/file entry. Among the many elements of the structure the most important in determining where the data for the file is stored is the inode number. In this weeks installment we will discover how to use the on disk data structure called the super block. This is the key to the entire file system and is essential if we are to find the data related to this file name.
In order to find the super block, we must first understand how the SNAP OS positions itself on a drive. In windows the basic element of storage is a cluster. Standard cluster size for an NTFS drive is 4096 bytes, or eight (8) sectors. For SNAP OS the basic element of storage is a block. Standard block size for SNAP OS is 8192 bytes or sixteen 16 sectors. Using the block as a basis for storage, we then have groupings of blocks. These groupings of blocks are called cylinder groups. The on disk layout of a cylinder group is as follows.
Cylinder Group On Disk Layout
All blocks are relative to the beginning of the cylinder group.
- Super Block: Block 0: This block houses a copy of the on-disk structure of the super block
- Cylinder Group: Block 1: On-disk structure of the cylinder group
- Inodes: Block 2 – (2 + n) Inode StorageEach inode is 128 bytes, therefore 4 inodes per sector, or 64 inodes per block.
- Data Blocks: Blocks (2 + n) – (end of cylinder group) All remaining blocks to the end of the cylinder group are data blocks.
Applying real world numbers
In order to help illustrate how all of this works together, let’s take the 2003STEP.PDF example and apply it to our on disk definitions.
First of all, we must find the super block. The best way to do that, is to find the first cylinder group using the magic number I spoke of in my article “SNAP RAID Recovery Using SNAP OS”. The magic number for the cylinder group is 0x550209. So, using WinHex as my sector editor, I plug that value into the “Hex Search” field and run the search. In this case the Cylinder Group is stored at sector 48. Now, we know that the Cylinder Group data structure is stored in relative block 1, and we also know that a copy of the super block is stored in relative block 0. The size of the blocks is 8K, so, we can count back 16 sectors, or 8K and find a copy of the super block.
So, a copy of the super block is stored at sector 32. There are some data elements within the super block that will help us identify the exact placement of the inode we are looking for. These elements are as follows: (Remember the numbers are for this real life situation only, your numbers may differ because of disk size, formatting flags etc.)
Super Block Offset: 2
Cylinder Block Offset: 3
Inode Block Offset 4
Data Block Offset 16
The above numbers are relative to the beginning of the volume. Therefore we can find the beginning of the volume by using the Super Block offset. The Super Block is stored on block two, or translated to sectors, sector 32. If we subtract 2 blocks, to find block zero, which is the beginning of the volume we will find the beginning of the drive. This is important since many of the SNAP OS volumes I work on are RAID-ed. There is a great deal of extraneous data when dealing with RAIDs, however, using this formula, we can easily find the beginning of the drive on a destriped RAID set.
Secondly, and more importantly, we can determine the total inodes per cylinder group. As defined before, we know that there are 64 inodes per block. In our real world example we can see that the inode block starts at relative block 4, and the data block starts at relative block 16. If we subtract 4 from 16 we know that there are 12 blocks of storage per cylinder group. We know that there are 64 inodes per block, times12 blocks, or 768 inodes per cylinder group. There is a data element in the super block that tells us the inodes per cylinder group. If we take our previous calculation, and it matches the super block data element, then we know that our file system is aligned. In this case they both match.
Now, if we know that we have 768 inodes per cylinder group, and the current inode we are looking for is 1015297, we can divide the inode we are looking for, by total inodes per cylinder group to find the cylinder group which house our inode. That value 1322. We then do the mod of the same values to tell us which inode within the cylinder group is the one we are looking for. That value is 1. So, we can say in cylinder group, 1322, inode 1, we have the inode we are looking for.
Lastly, how do we find Cylinder Group 1322? The size of the Cylinder Group is the size of the data group plus 64 sectors. So, in my case, the data group was 1024 blocks, or 16,384 sectors. You add 64 sectors to that and you have each cylinder at 16,448 sectors. One note, every 16 cylinder groups is an adjustment of 1024 sectors. So the 16th cylinder group is only 15,424 sectors.
That’s, it! Now that we have a method for finding the inode, we can actually start pulling data off. I will cover direct disk blocks and the formula for pulling data off of the drive in my next installment.