Disk / Volume FS Features To Generate:
Disk wrappers:
- raw, qcow, rhevm, vmware, vix, MSVS*
- local device?
Volume:
- DOS Partition - Starting / Ending addresses, size, type
- DOS MBR - parameterized DOS partitions + header/ender
- GPT Header - size, addresses, guid, # of entries
- GPT Partition - guid, start / end addresses, attributes, name
FAT:
- Boot Sector: FAT 12/16/32, sizes, addresses, number of sectors, label
- FAT record value: cluster state/address
- FAT Table: array of record values
- Timestamp (convert to/from)
- Directory Entry: filename, timestamps, cluster address
- Long File Name Directory Entry
- Abstract Directory Entry (generate regular or long based on specified name)
NTFS:
- Cluster Run (convert to/from addresses)
- MFT Entry Header: size, attribute offset, next attribute id
- Attribute Header: type, length, name, flags, content (if resident) or content size / offset
- Attribute:
- Attributes:
- standard information: timestamps, flags, id’s
- attribute list
- file name: name, timestamps, size, namespace
- object_id: various ids
- data: file contents
- index_root: attribute type, index record size, entries
- index_allocation: entries
- index node header
- index entry: length, content, flags
- directory entry: file reference, length, flags, file_name attr
- bitmap
- File:
- MFT
- Volume
- AttrDef : attribute names, types
- Bitmap : allocated clusters
- Boot: sectors, addresses
- …
EXT3:
- superblock : inodes, blocks, fragments, timestamps, flags, addresses
- group descriptor table: block, inode bitmap/table, addresses, numbers
- block bitmap
- inode: timestamps, flags, pointers, acl, fragment size
- extended attribute: name, type, flags, value
- directory entry: length, name
- hash tree node: length, leaves, block / node address
EXT4:
- EXT3/*
- Extent Node: block address, # of blocks
- Extent Tree: length, leaves
Reiser:
XFS:
- superblock: block/extent/inode sizes, uuid, flags
- inode: timestamps, flags, uid/gid, size, extents
- directory: inode, name
- directory entry: name, address
- b+ tree