Nomenclature Windows Partitions are referred to as “Volumes” The rest of the world Partitions are referred to as partitions Volume is a physical drive VG – Volume Group is a logical grouping of partitions managed by the LVM
Volume Functions A volume is a collection of addressable sectors that can be used for storage Assemble multiple storage volumes into one. Partition a storage volume into independent partitions
Partitions, Named Volumes Windows Example Partition 1Partition 2Partition 3 Hard Disk Volume C: VolumeD: VolumeE: Volume Thanks to Priscilla Source: B. Carrier
Partitions A partition is a collection of consecutive sectors in a volume A partition is also a volume A partition's parent volume is the volume in which the partition is located
Partition Systems Structure of partition system is OS dependent Independent of the disk/interface Most volumes have a partition table Each entry describes the location, size and type of partition Usually there is nothing that distinguishes the beginning or end of a partition If the volume is one partition, the partition table is often missing.
Generic Partition Table Starting Sector 0 99 FAT 100249NTFS 300599NTFS Ending Sector File System Type
Volume Assembly Some OS's force each device/disk to be a volume Windows and DOS Some of the more robust OS's use volume assembly to make many/all disks look like one volume. Unix and derivations
Windows Mount Points Volume 1 C: D: E: \Program Files\ \Windows\ \Torture Office\ Volume 2 CD-ROM
Sector Addressing LBA – Logical Block Address is a physical sector address beginning at 0 which is the first sector of the disk. LVA – Logical Volume Address is the address of a sector relative to the start of its volume. Distinguish between disk and partition Logical disk volume address Logical partition volume address
Volume Analysis Partition layout of the volume is important Consistency Corruption Unallocated space Evidence Recovery
Techniques Data in a partition is likely to be a file system. Data in sectors not in a partition is likely to be data left over from a previous life Using dd we can create a file for each partition Using dd we can also create files of consecutive unallocated sectors
Consistency Checks Consecutive collections of sectors, utilizing the entire disk/device Consecutive collections of sectors, not utilizing the entire disk/device Over lapping collections of sectors Missing partition tables or corrupted tables, intentional or accidental
DOS Partitions MBR is the first 512-byte sector Boot code (Bytes 0-445) Partition table (bytes 446-509) Signature (bytes 510-511, value = 0xAA55) Partition table has four entries
DOS Disk Partition 1Partition 2 Partition Table
Extended Partitions Partition 1Partition 2 Partition Table Extended Partition First Extended Partition is always number 5.
Master Boot Sector/Record First sector of the device Contains boot code Contains the partition table Last byte is 0x55AA
MBS Structure 1FE Boot code – Master Boot Record, MBR 1CE 1DE 1FD 1FF 1EE 1BE 000 1ED 1DD 1CD 1BD 1 st Partition Entry 2 nd Partition Entry 3 st Partition Entry 4 st Partition Entry Signature value = 0x55 aa
Partition Table Four 16-byte Entries Each entry describes a partition Bootable flag (0x80 means bootable) Starting CHS address Partition type Ending CHS address Starting LBA address Size (number of sectors in partition)
Partition Types 0 Empty 1e Hidden W95 FAT1 80 Old Minix be Solaris boot 1 FAT12 24 NEC DOS 81 Minix / old Lin bf Solaris 2 XENIX root 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT- 3 XENIX usr 3c PartitionMagic 83 Linux c4 DRDOS/sec (FAT- 4 FAT16 <32M 40 Venix 80286 84 OS/2 hidden C: c6 DRDOS/sec (FAT- 5 Extended 41 PPC PReP Boot 85 Linux extended c7 Syrinx 6 FAT16 42 SFS 86 NTFS volume set da Non-FS data 7 HPFS/NTFS 4d QNX4.x 87 NTFS volume set db CP/M / CTOS /. 8 AIX 4e QNX4.x 2nd part 88 Linux plaintext de Dell Utility 9 AIX bootable 4f QNX4.x 3rd part 8e Linux LVM df BootIt a OS/2 Boot Manag 50 OnTrack DM 93 Amoeba e1 DOS access b W95 FAT32 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O c W95 FAT32 (LBA) 52 CP/M 9f BSD/OS e4 SpeedStor e W95 FAT16 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs f W95 Ext'd (LBA) 54 OnTrackDM6 a5 FreeBSD ee EFI GPT 10 OPUS 55 EZ-Drive a6 OpenBSD ef EFI (FAT-12/16/ 11 Hidden FAT12 56 Golden Bow a7 NeXTSTEP f0 Linux/PA-RISC b 12 Compaq diagnost 5c Priam Edisk a8 Darwin UFS f1 SpeedStor 14 Hidden FAT16 <3 61 SpeedStor a9 NetBSD f4 SpeedStor 16 Hidden FAT16 63 GNU HURD or Sys ab Darwin boot f2 DOS secondary 17 Hidden HPFS/NTF 64 Novell Netware b7 BSDI fs fd Linux raid auto 18 AST SmartSleep 65 Novell Netware b8 BSDI swap fe LANstep 1b Hidden W95 FAT3 70 DiskSecure Mult bb Boot Wizard hid ff BBT 1c Hidden W95 FAT3 75 PC/IX
Decoding Partition Tables Gotchas Decimal or Hex? Little Endian or Big Endian? Output to text? How do you get the text back to the “lab” for analysis? Output to file? Where will you put it? Don’t write to suspect’s HD!
Partition Table in English Partition 1 Bootable (0x80 at byte 0) Type is Fat32 (0x0C at byte 4) It starts at sector 3F, LBA (63 in decimal) Its size is 0x0273C882 sectors About 41 million sectors in decimal 41M x 512 bytes = 20,992,000,000 = ~21 GB
Partition Table in English (cont.) Partition 2 Not bootable (0x00 at byte 0) Type is Linux Swap (0x82 at byte 4) It starts at sector 41,142,465 in decimal Its size is 0x000FB040 sectors About 1 million sectors in decimal 1M x 512 bytes = 512,000,000 = ~.5 GB
Partition Table in English (cont.) Partition 3 Not bootable (0x00 in byte 0) Type is Linux (0x83 at byte 4) It starts at sector 42170625 in decimal Its size is 0x022518C0 sectors About 36 million sectors in decimal 36M x 512 bytes = 18,432,000,000 = ~18.5 GB
Partition Types Info http://www.win.tue.nl/~aeb/partitions/partition_types-1.html