I am trying to find deleted inodes in the ext2 filesystem. And this is the approach that I am taking. However I feel that I am doing something wrong.
I am first seeking 1024 bytes to the start of the superblock
I get to know that blocksize is 1024 bytes, so the group descriptor table starts at offset 2048.
The group descriptor table has a group descriptor for each block group right? So I calculate the number of group descriptors or block groups: total inodes/inodes per group. This gives me the value 8, which means I have 8 group descriptors in my block group descriptor table.
I read the first_inode_table field for all the 8 group descriptors. The group descriptors are 32 bytes in length
So this is where I get confused. The inode table for the first group descriptor gives me 260. So does this mean that to access the inode table for the first block group I do 260*blocksize?
Once I reach there, I am reading the dtime field - which tells us the last deleted time. If that is >0 that means it had been deleted.
So another confusion I have is that it is said that the first 11 entries of the inode table are reserved. So this shouldn't be a problem as long I go through all the inode entries of the inode table right?
Is my approach correct? Please point me to the right direction if you see something wrong.
