7

I am trying to find deleted inodes in the ext2 filesystem. And this is the approach that I am taking. However I feel that I am doing something wrong.

  1. I am first seeking 1024 bytes to the start of the superblock

  2. I get to know that blocksize is 1024 bytes, so the group descriptor table starts at offset 2048.

  3. The group descriptor table has a group descriptor for each block group right? So I calculate the number of group descriptors or block groups: total inodes/inodes per group. This gives me the value 8, which means I have 8 group descriptors in my block group descriptor table.

  4. I read the first_inode_table field for all the 8 group descriptors. The group descriptors are 32 bytes in length

    So this is where I get confused. The inode table for the first group descriptor gives me 260. So does this mean that to access the inode table for the first block group I do 260*blocksize?

  5. Once I reach there, I am reading the dtime field - which tells us the last deleted time. If that is >0 that means it had been deleted.

    So another confusion I have is that it is said that the first 11 entries of the inode table are reserved. So this shouldn't be a problem as long I go through all the inode entries of the inode table right?

Is my approach correct? Please point me to the right direction if you see something wrong.

Community
  • 1
  • Reasoning is correct. Bug was due to another issue. –  Jun 04 '11 at 04:15
  • 4
    @Catie If you resolved this issue, should you either add an answer yourself, or simply delete the question. :-) – John Parker Jun 04 '11 at 10:49
  • 1
    add the answer yourself please! – kalaracey Jun 04 '11 at 21:29
  • 1
    Question has been answered, as it was another issue it has been resolved. There is no longer a problem and it's highly unlikely that Catie will return, so please help get this question of the unanswered list... – Tamara Wijsman Jun 14 '11 at 13:41

0 Answers0