Primary GPT Header
31
Partition Entry
Description |
|
Offsets |
Partition Type GUID |
0 |
- 15 |
Partition Unique GUID |
16 - 31 |
|
Starting LBA |
32 - 39 |
|
Ending LBA |
40 - 47 |
|
Partition Name |
56 |
- 127 |
Flags - Offsets 48-55 - Used when disk is part of a RAID
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
32 |
Partition entries are done simple and are done with equally incremented addresses. The first 16 bytes are used to define the GUID partition type. For example, the GUID EFI system appears as:
"C12A7328-F81F-11D2-BA4B-00A0C9 3EC93B", with the next 16 bytes containing a GUID that is unique to the partition. After that, there is the record of the start and end of the 64-bit LBA, if applicable. The rest of the space is dedicated to the names and attributes of the partition.
33
Active partition
You will recall that the first byte of the partition table entry is the boot indicator
80h indicates that the partition is active
On machines using the MBR partitioning style the active partition is bootable
The first sector of the active partition is known as the boot sector or boot block or volume boot record
The following slides discuss the VBR as found on NTFS formatted volumes
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
34 |
NTFS VBR
NTFS Volume Boot Record
̶Occupies 1 sector
̶But is allocated 16 sectors or a minimum of 1 cluster ̶It is a system file entitled $Boot
It consists of the following parts
̶Jump Code ̶OEM ID
̶BIOS Parameter Block ̶Extended BIOS Parameter Block ̶Bootstrap Program
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
35 |
NTFS VBR
Jump Code is in first three bytes and instructs the system to skip the following non executable bytes
Likely to be either
̶EB 5B 90 (Win NT)
̶EB 52 90 (2000/XP/Vista/2008 Server/W7) ̶EB 3C 90 (Fat32 Boot Sector)
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
36 |
NTFS VBR
OEM ID
̶8 bytes following jump code
̶On an NTFS formatted drive always NTFS
̶MSDOS5.0 indicates a drive formatted FAT32
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
37 |
NTFS VBR
BPB and Extended BPB
̶Contains information relating to ̶Cluster size
̶Volume size ̶Location of MFT ̶Location of MFT mirror
̶See next slide for more information
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
38 |
NTFS VBR
Offse |
Size |
Description |
Offset |
Size |
Description |
t |
|
|
(Dec) |
|
|
(Dec) |
|
|
|
|
|
|
|
LE = Little Endian |
28 |
4 |
Number of sectors from start of physical |
|
|
|
|
|
disk to start of VBR (Hidden sectors) |
00 |
3 |
Jump Code |
32 |
4 |
Sector count not used by NTFS hence 00 |
|
|
|
|
|
00 00 00 |
03 |
8 |
OEM Name |
36 |
4 |
Always 80 00 80 00 |
11 |
2 |
Bytes per sector (LE) |
40 |
8 |
Number of sectors in volume |
13 |
1 |
Sectors per cluster |
48 |
8 |
Starting Logical Cluster Number for MFT |
|
|
|
|
|
(LE) |
14 |
7 |
Not used – each byte |
56 |
8 |
Starting Logical Cluster Number for MFT |
|
|
should be 00 |
|
|
mirror (LE) |
21 |
1 |
Media Descriptor -F8 |
64 |
4 |
MFT record size (number of clusters per |
|
|
indicates a fixed disk |
|
|
record read LE as a signed integer) |
22 |
2 |
Not used – always 00 00 |
68 |
1 |
Index Buffer size |
24 |
2 |
Sectors per track (LE) |
72 |
8 |
Volume serial number |
26 |
2 |
Number of Heads (LE) |
80 |
4 |
MFT checksum (not used 00 00 00 00) |
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
39 |
NTFS VBR and some GPT notes
A back up copy of the NTFS Volume Boot Record is kept in the last sector of the NTFS partition
EFI systems can boot GPT disks but they do not use active partitions on the GPT disk in order to boot
Instead an Extensible Firmware Interface System Partition (ESP) is used
The ESP contains the files that are needed to boot the system
02/02/2021 |
ISEC 2010 – Cybercrime Investigation Training |
40 |