GPT-Style
21
In its partition table, a single entry must be created with partition type 0xEE. A partition must begin with an LBA 1 address and be 0xFFFFFFFF in size. In the fields for CHS- addressing, the section must begin, respectively, with the address 0/0/2 (sector 1 is occupied by the MBR itself) and have the final CHS address FF /
FF / FF. The sign of the active partition must be 0 (inactive).
Protective MBR
Protective MBR provides sufficient information to convince a legacy system the drive is properly formatted.
MBR Partitiontiti Tablele Highlightedi li t
Offsetsff ts 446 -- 509
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
22 |
Extensible Firmware Interface
New interface between the Operating System and the Hardware
Replacement for the now old BIOS model
Supports UNICODE for Volume Names
Uses GUID Partition Table format for Hard Disk Drives
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
23 |
GPT Overview
Support began with Windows Server 2003
Windows XP and Windows 2000 cannot read GPT
GPT cannot be used on removable media
MBR partitioned disk can be converted to GPT but only if empty
GPT must be used for whole drive
Only EFI equipped computers can boot from GPT disks
02/02/2021 |
24 |
ISEC 2010 – Cybercrime Investigation |
|
Training |
|||
|
|
GPT allows you to assign a unique 128-bit identifier (GUID) to partitions
GUID Globally Unique Identifier
{75048700-EF1F-11D0-9888- 006097DEACF9}
Statistically unique number across systems.
32 character hexadecimal number created by the system.
Used for unique identification of:
Components
Users
Applications 
System Objects
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
25 |
Reading the GUID
4 bytes |
2 bytes |
2 bytes |
2 bytes |
6 bytes |
Reverse |
Reverse |
Reverse |
Forward |
Forward |
16 E3 C9 E3 |
5C 0B |
B8 4D |
81 7D |
F9 2D F0 02 15 AE |
16 Bytete 32 Hex Digiti it GUIDID
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
26 |
GUID Partition Table Format
First Sector is Protective MBR
Second Sector - Primary GPT Header
32 Sectors to describe partitions
128 Partitions allowed
4 Partitions entry per sector (128 bytes each)
Each Partition Descriptor contains;
Partition Type GUID
Unique Partition GUID
Partition Attributes
Starting LBA
Ending LBA
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
27 |
GUID Partition Table Format
Up to 128 Partitions
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
28 |
GUID Partition Table Structure
|
LBA |
|
|
Protective MBR |
0 |
|
|
Primary GPT Header |
1 |
|
|
First 4 Partition Entries |
2 |
|
|
Partitions 5 - 128 |
3 - 33 |
|
|
First Partition |
|
|
|
Remaining Partitions |
|
|
|
First 4 Partition Entries |
|
|
|
Partitions 5 - 128 |
|
|
|
Primary GPT Header |
Last |
|
|
GPT Uses LBA
Stores a backup at the end of the drive
No wasted space
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
29 |
Primary GPT Header
Description |
|
Offsets |
EFI Signature |
0 |
- 7 |
GPT Header Checksum |
16 |
- 19 |
First Usable LBA |
40 |
- 47 |
Last Usable LBA |
48 |
- 55 |
Physical Drive GUID |
56 |
- 71 |
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
30 |