Partition Styles
• Both MBR and GPT Partition Styles may support basic or dynamic disk storage types
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx
•Please don’t confuse the terminology
•Basic disks allow the creation of partitions and the formatting of volumes
•Dynamic disks add functionality such as spanned, striped, mirrored and RAID-5 volumes
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
11 |
Master Boot Record
•The MBR occupies the first physical sector of a hard disk drive (PS0)
•The MBR has two main parts
–Master Boot Code
–Master Partition Table
–NTFS disks have a third part – a disk signature
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
12 |
Master Boot Record
Master Boot Code
̶Small program used to mount the first active partition
̶If the master boot code cannot find and mount an active partition it generates one of three error messages
•Invalid partition table
•Error loading operating system
•Missing operating system
̶These can be seen in plain text near the end of the master boot code
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
13 |
Master Boot Record
Master Partition Table
̶Small 64 byte database containing a list of partitions
̶The database contains four 16 byte records ̶Found at sector offset 446 within the MBR
̶Followed by the End of Sector Marker 0x55AA at sector offsets 510-511
̶Defines 4 Primary Partitions or 3 Primary and 1 extended partition
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
14 |
Master Boot Record Hands On
Record |
Byte |
Description |
|
|
Offset |
Lengt |
|
note a (example on next slide) |
|
|
h |
|
||
00 |
1 |
Boot indicator 80h – Active, 00h - |
Convert to binary Little Endian format |
|
– the lowest 6 bits denote the starting |
||||
|
|
Inactive |
||
|
|
(or ending) sector, then prepend the |
||
01 |
1 |
Starting Head |
||
remaining 2 bits to the highest 8 bits – |
||||
02 |
2 |
Starting Sector and Starting Cylinder |
the resulting 10 bits denote the |
|
|
|
note a |
starting (or ending) cylinder |
|
04 |
1 |
System Indicator Byte 07h - NTFS |
|
|
05 |
1 |
Ending Head |
|
|
06 |
2 |
Ending Sector and Ending Cylinder |
|
|
|
|
note a |
|
|
The problem with CHS-coordinates is that with such a record you can address a maximum of 8 GB of disk. |
||||
08 |
4 |
LBA (logical block address): partition |
|
|
In the era of DOS, this was acceptable, but rather soon it was no longer enough. To solve this problem, |
||||
|
|
start |
|
|
LBA (Logical Block Addressing) was developed, which used 32-bit flat numbering of disk sectors. This |
||||
12 |
4 |
Partition size (in sectors) |
|
|
allowed us to address discs up to 2TB in size. Later, the LBA bit depth was increased to 48 bits, but the |
||||
MBR did not affect these changes. It still has 32-bit sector addressing. |
|
|||
The essence of LBA is that each block addressed on the hard disk has its own number, an integer, starting from zero, etc. (that is, the first block LBA = 0, the second LBA = 1, ...)
LBA 0 = Cylinder 0 / Head 0 / Sector 1
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
15 |
CHS Addressing
The CHS coordinates of a sector are decoded as a Cylinder Head Sector and respectively denote a cylinder (track) number, a head (surface) number and a sector number. Cylinders and heads are numbered from zero, the sector is numbered from one. Thus CHS = 0/0/1 means the first sector on the zero cylinder on the zero head. This is where the MBR sector is located.
The storage format of the cylinder number and sector in the structure of the section entry. The cylinder number and sector number are divided between two bytes, but not equally, but like 10: 6. That is, the sector number has the lower 6 bits of the low byte, which allows setting sector numbers from 1 to 63. And the cylinder number has 10 bits - 8 bits of the high byte and the remaining 2 bits from the low byte: “CCCCCCCC CCSSSSSS”, and byte are the high bits of the cylinder number.
16
Master Boot Record Hands On
Description |
Value |
|
Boot Indicator |
0x80 |
|
Starting Head |
0x20 = 32 |
|
Starting Sector and |
0x2100 = 00 21 LE = |
00000000 |
Starting Cylinder |
00100001 |
|
|
Starting Sector = 100001 = 33 |
|
|
Starting Cylinder = 0000000000 = 0 |
|
System Indicator |
0x07 NTFS |
|
Byte |
|
|
Ending Head |
0xFE = 254 |
|
Ending Sector and |
0xFFFF = FF FF LE = |
|
Ending Cylinder |
11111111 11111111 |
|
|
Ending Sector = 111111 = 63 |
|
|
Ending Cylinder = 1111111111 = 1023 |
|
LBA (logical block |
0x00080000 read LE = 2048 |
|
address): partition |
|
|
start |
|
|
Partition size (in |
0x00F0FF04 read LE = 83881984 |
|
sectors) |
|
|
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
17 |
extended boot records
MBR Partition table |
EBR1 PT EBR2 PT |
EBR3 PT EBR4 PT |
|
|
|
|
P1 |
P2 |
|
P3 |
|
|
|
|
|
P4 |
|
|
|
|
P5 |
|
|
|
|
P6 |
|
|
|
|
P7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 2 3 |
4 |
5 |
6 |
7 |
•In the MBR partition table 3 primary partitions (P1 – P3) are defined
•The 4th entry does not point to a partition, but to an extended boot record which also contains a partition table
•The first entry in this table points to a partition (P4) and if necessary there can be a
pointer to a further extended boot record (e.g. EBR2 PT) and so on
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
18 |
In the first sector of the extended section is the EBR structure (Extended Boot Record). It is very similar to the MBR structure, but it has the following differences:
1.There is no boot code in EBR. Some downloaders can write it there, but usually this place is filled with zeros.
2.Disk signatures and two unused bytes must be filled with zeros.
3.Only the first two entries can be filled in the partition table. The remaining two entries must be filled with zeros.
At the end of the EBR structure, as well as in the MBR, there should be a “magic” value AA55h.
EBR |
First |
Second |
First |
|
partition |
partition |
|||
|
logical |
|||
|
table |
table |
||
|
partition |
|||
|
entry |
entry |
||
|
|
|||
|
|
|
|
|
|
|
|
|
EBR |
First |
Second |
Second |
|
partition |
partition |
|||
|
logical |
|||
|
table |
table |
||
|
partition |
|||
|
entry |
entry |
||
|
|
|||
|
|
|
|
The first entry in the EBR partition table indicates relative offset between the sector of this EBR and the first sector of the logical partition, and the second entry indicates the relative address of the next EBR in the extended section. If this logical partition is the last in the list, then the second entry in the EBR partition table must be filled with zeros.
19
EBR |
First |
Second |
First |
|
partition |
partition |
|||
|
logical |
|||
|
table |
table |
||
|
partition |
|||
|
entry |
entry |
||
|
|
|||
|
|
|
|
EBR |
First |
Second |
Second |
|
partition |
partition |
|||
|
logical |
|||
|
table |
table |
||
|
partition |
|||
|
entry |
entry |
||
|
|
|||
|
|
|
|
For the first entry of the EBR partition table, the distance in sectors between the current EBR sector and the beginning of the logical partition referenced by the entry is recorded in the field of the initial sector of the partition (offset 08h). In this case, the size of this logical partition in the sectors is written in the field of the number of sectors of the section (offset 0Ch).
For the second entry of the EBR partition table, the distance between the sector of the very first EBR and the sector of the next EBR in the list is recorded in the field of the initial sector of the section. In this case, the size of the disk area from the sector of this next EBR structure and to the end of the logical partition belonging to this structure is written in the field of the number of partition sectors.
Thus, the first entry in the partition table describes how to find, and what size the current logical partition occupies, and the second entry describes how to find it, and what size the next EBR occupies in the list, along with its partition.
20