Computer Forensics DOS Partitioning

Partitioning Practices  We separate partition practices into those used by Personal Computers:  DOS  Apple Servers  Free BSD  Sun Solaris  GPT

DOS Partitions  Although there is no standard specification, there are several accepted partitioning practices Most common type of partitioning system for PCs (and servers)  Microsoft calls disks using this type of partitioning system Master Boot Record (MBR) disks Another type is GUID Partition Table (GPT) used by servers

Definitions  Starting with Windows 2000, Microsoft differentiates between: Basic disk – MBR or GPT disk on which partitions are independent and standalone Dynamic disk – MBR or GPT on which partitions can be combined or merged to form larger partitions (e.g. RAID) We will focus on Basic disk using MBR

DOS Partitions MBR is from the first sector on the disk, followed by four partition tables When there is need for more than 4 partitions, one partition may be extended to contain secondary partitions The extended partition contains a table similar to the MBR in its first sector Non-extended partition entries have their starting sector and size displayed. The ending sector address can be calculated:  Starting sector addr + sector size - 1

Reasons for partitioning  Allowing users to have more than one operating system on a single computer  Separation of operating system files from user files  Improving performance by breaking up file space into smaller units

MBR  MBR resides in front of the first partition MBR is the first 512-bytes of the disk MBR is in LBA Sector 0  MBR contains Boot code – how to process the partition table and how to locate the operating system Partition table Signature  The MBR contains the Partition Table which has 4 entries, one for each partition

MBR contents ByteDescriptionEssential 0-445Boot codeno Entry #1yes Entry #2yes Entry #3yes Entry #4yes Signature value 0xAA55 yes Table 5.1 Carrier

Partition Table Entries (Bytes )  Each entry in the partition table (16 bytes) has the following fields Starting CHS address Ending CHS address  Each uses 10-bits for cylinder, 8-bits for head, 6-bits for sector Starting LBA address  Either CHS or LBA is used, but usually not both Number of sectors in partition Type of partition – FAT, NTFS, etc. Flags – identify which partition is bootable, thus which operating system will be loaded  Each table entry describes the layout of a partition in CHS and LBA addresses CHS addresses only work for disks less than 8GB (ignored if >) LBA addresses work for disks that are terabytes (TB) in size

DOS Partition Table Entries ByteDescription 0Bootable Flag 1-3Starting CHS Address 4Partition Type 5-7Ending CHS Address 8-11Starting LBA Address Size in sectors

Partition Types TypeDescription 0x00Empty 0x01FAT12 0x04FAT16, MB 0x06FAT16, 32 MB – 2GB... 0xa8Mac OSX... 0xfbVMware File System From Table 5.3 Carrier

Basic DOS disk Partition #1Partition #2 MBR Figure 5.1 Carrier, simple disk with two partitions and the MBR

Extended Partitions  If we need more than four partitions, we can use extended partitions Example: we want to divide a 12GB disk into six 2GB partitions for using multiple operating systems  Use up to 3 partitions normally then create an extended partition that can be further subdivided

DOS disk partition variations Primary File System #1 Primary File System #2 MBR Primary File System #3 Primary Extended Partition Contains Secondaries... Figure 5.2 Carrier, DOS disk with three primary file system partitions and one primary extended partition

Secondary Extended Partitions Secondary File System #1 Secondary Extended #1 Secondary Extended #2 Secondary File System #2 Figure 5.3 Carrier See also Figure 5.4

Boot Code  The partition that is to be booted is indicated by the bootable flag = TRUE Standard boot code for a system with only one OS is indicated by a flag set to 0x80 Or the boot code may prompt the user to choose a partition for booting

Extracting sectors from an actual system Using the dd command we can get the first sector of the disk: #dd if=disk3.dd bs=512 skip=0 count=1 | xxd

MBR from previous dd command ASCII output removed and stored as little endian with lsb at lowest address :eb ed0 bc00 b0b ed8 8ec0 [REMOVED] : b : f72 00bb 0100 b40e cd10 ac3c :0075 f4c : : fe 3f7f 3f f [REMOVED] :01cd 05f3 ffff 8d eb aa Bytes 0 – 445 contain boot code. The 0xaa55 signature is in the last two bytes of the sector. The partition table entry for partition 1 is in red and shows a partition type of 0x07 and starting sector of 63. Looking at the output on p. 92, which partition is bootable? How did we get Figure 5.5?

Extended Partition Example Look at Figure 5.6  A primary extended partition starts in sector 1,000 with a length of 11,000 sectors The partition table has two entries:  A FAT file system, starting at relative sector 63 (actual 1,063) why 63?  An extended partition, starting at relative sector 4,000 (actual 5,000) The secondary extended partition contains an NTFS file system, starting at sector 63 (actual 5, 063)  The second entry is for another extended partition, starting at 6,500 (actual 7,500) Continue?

Continued example  Contents of the first sector of the primary extended partition in sector 3,293,325 (see Table 5.4) # dd if=disk3.dd bs=512 skip= count=1 | xxd [REMOVED] : :01cd 83fe 7fcb 3f e :41cc 05fe bf0b 3f82 3e00 40b0 0f : : fe 3f7f 3f f00 55aa The last two entries are empty. Type is 0x83 – Linux, so it is a secondary file system partition and it starts relative to the start of the current extended partition... Table 5.5 is an extension of Table 5.4. Calculate the start of the DOS extended partition.

Tools  fdisk – lists partitions  mmls – marks partitions as unused

fdisk # fdisk –lu disk3.dd Disk disk3.dd: 255 heads, 63 sectors, 0 cylinders Units = sectors of 1 * 512 bytes DeviceBootStart EndBlocks IdSystem disk3.dd NTFS disk3.dd2 * Linux disk3.dd Linux disk3.dd Extended... This output lists only the primary extended partition (disk3.dd4). This is acceptable because only primary and secondary file system partitions are needed for an investigation. But not all entries are shown.

mmls # mmls –t dos disk3.dd Units are in 512-byte sectors SlotStartEndLengthDescription 00: Table #0 01: Unallocated 02: 00: bigNTFS(0x07) 03: 00: Linux(0x83) 04: 00: Linux(0x83) 05: 00:03... Unused sectors are marked unallocated, partition tables are indicated and extended partition locations are indicated. See pages 98 and 99.

Summary  If we need one to four partitions, we use only the MBR to find all partitions  If we need more than four partitions, we create up to 3 of partitions using the MBR and make the fourth MBR entry point to the sections that hold the remainder  DOS-based partitions are the most common for current computer investigations. They are also difficult to understand.  Tools can help to list the layout of disks and to find the used and unused spaces.

Removable Media  Most removable media also have partitions and many use the same structures used by hard disks. Floppy disks: each disk is a single partition Thumb drives: some contain only one file system, but others have partitions Zip drives: are partitioned Flash cards (cameras): many use FAT file systems and can be analyzed using normal investigation tools CD-ROMs: most use ISO 9660 format so that multiple OSs can read them...complex

Chapter 6: Server-based partitions  BSD (sometimes called Berkeley) UNIX servers use their own partitioning system FreeBSD (also uses DOS partitioning), OpenBSD, NetBSD Many use IA32-based hardware (Intel’s x86/i386)  It is becoming common to encounter a Linux system during an investigation, but Linux uses only the DOS-based partitions  When an operating system runs, it can choose what partitions it will give for user access

Disk Label  Central data structure for BSD partition system is a disk label Located in the second sector of the BSD partition At least 276 bytes  Structure is shown in Table 6.1

GPT Partitions  Systems with 64-bit Intel Itanium processors (IA64) do not have a BIOS like IA32 systems  Instead, they have an Extensible Firmware Interface (EFI) The EFI uses a partition system called the GUID Partition Table (GPT) GUID is ‘globally unique identifier  It can support up to 128 partitions and uses a 64- bit LBA address  Usually found in high-end servers

Multiple Disk Volumes  Multiple disks can be used to contain data, but such systems may be difficult to investigate  Initially used in high-end and critical systems, but are becoming more popular in with desktop systems  Two types discussed here: RAID systems: provide redundancy Disk spanning: creates larger volumes

RAID RAID 0: 2 or more disks on which data is striped across disks. (no redundancy) RAID 1: data is repeated across disks for redundancy RAID 2: rare. Uses error-correcting codes. RAID 3: 3 or more disks; one disk assigned for parity Parity disk can recreate a failed disk Byte-sized chunks RAID 4: similar to level 3, data striped is block chunks instead of byte chunks RAID 5: similar to level 4, no dedicated parity disk. Parity alternated amongst data There are several more RAID levels

Analysis  Use hardware write-blockers on individual hard disks to prevent modifications when trying acquisition  It may also be useful to make images of the individual disks before making an image of the entire RAID volume  Some RAID systems use only part of the hard disk...unused space may contain old data, or could be used to hide data

Disk Spanning  Makes multiple disks appear to be one large disk using software, creating a logical volume.  Example Like using a 3-ring binder, instead of a spiral notebook. It becomes easier to add more storage (i.e. disks) as more space is needed.  Logical volume: the output of the disk-spanning software.

Disk Spanning D0 D1 D2... D99 D100 D101 D D199 Disk 1 Disk 2 The storage space from a new disk is appended to the end of the existing storage space. This generates a logical volume made up from two disks.