±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35413
New Yesterday: 5 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

XFS inode containing btree root node

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mrthaggar
Member
 

XFS inode containing btree root node

Post Posted: Apr 15, 19 07:04

I'm currently doing some parsing work on XFS, and I'm a bit stuck looking at an inode containing the root of a btree. The inode is for a directory containing several thousand random text files I created.

Looking through the XFS documentation, I can see that that after the inode code, at offset 178 should be a 'xfs_bmdr_block' structure, which shows how many levels and entries there are. However, looking at the data, I'm a bit confused:



0x000100010000000000000000

That's the data representing the entries, so one level, one entry.

But both the entires are zero? I did read something somewhere that they should start at logical offset zero, but of course, I've lost that page so I can't confirm that is correct.

The data highlighted in blue is the actual block address of the directory data, but I don't understand why it's there in the inode? Is it part of an array, or is it just there in slack, and I should just ignore it.

This is the output from xfs_db:

u3.bmbt.level = 1
u3.bmbt.numrecs = 1
u3.bmbt.keys[1] = [startoff]
1:[0]
u3.bmbt.ptrs[1] = 4227489


So there's that offset, 4227489 (0x408aA1) and after checking, that's where the actual btree data is for the directory. What I can't figure out is how xfs_db calculated that from an array that contains zero.

Am I completely misunderstanding this?  
 

Page 1 of 1