COEN 152/252 Computer Forensics Apple Partitions

Apple Partition Map Applies to MAC OS X, MAC OS 9 iPod players Switching to GUID Partition Table (GPT)  To support disk bigger than 2TB

Apple Partition Map

Block 0: Driver Descriptor Record TYPE Block0 = PACKED RECORD sbSig: Integer; {device signature} sbBlkSize: Integer; {block size of the device} sbBlkCount: LongInt; {number of blocks on the device} sbDevType: Integer; {reserved} sbDevId: Integer; {reserved} sbData: LongInt; {reserved} sbDrvrCount: Integer; {number of driver descriptor entries} ddBlock: LongInt; {first driver's starting block} ddSize: Integer; {size of the driver, in 512-byte blocks} ddType: Integer; {operating system type (MacOS = 1)} ddPad: ARRAY [0..242] OF Integer; {additional drivers, if any} END;

Apple Partition Map Driver Descriptor Record  identifies the device drivers installed on a disk  Start manager reads the driver descriptor record during system start-up Uses info to locate and load the appropriate device driver  Start manager selects the appropriate driver based on the user input

Apple Partition Map Partition map describes all partitions on a block device. Allows a single device to support multiple OS. All blocks (with the exception of block 0) belong to a partition Number of entries in a partition table is not limited. However, partition table needs to start in block 1 and be contiguous.

Apple Partition Map TYPE Partition = RECORD pmSig: Integer; {partition signature} pmSigPad: Integer; {reserved} pmMapBlkCnt: LongInt; {number of blocks in partition map} pmPyPartStart: LongInt; {first physical block of partition} pmPartBlkCnt: LongInt; {number of blocks in partition} pmPartName: PACKED ARRAY [0..31] OF Char; {partition name} pmParType: PACKED ARRAY [0..31] OF Char; {partition type} pmLgDataStart: LongInt; {first logical block of data area} pmDataCnt: LongInt; {number of blocks in data area} pmPartStatus: LongInt; {partition status information} pmLgBootStart: LongInt; {first logical block of boot code} pmBootSize: LongInt; {size of boot code, in bytes} pmBootAddr: LongInt; {boot code load address} pmBootAddr2: LongInt; {reserved} pmBootEntry: LongInt; {boot code entry point} pmBootEntry2: LongInt; {reserved} pmBootCksum: LongInt; {boot code checksum} pmProcessor: PACKED ARRAY [0..15] OF Char; {processor type} pmPad: ARRAY [0..187] OF Integer; {reserved} END;

GUID Partition Table Defined by a formal standard:  Section “Extensible Firmware Interface Specification  “GUID Partition Table (GPT) Format” of the “Unified Extensible Firmware Interface Specification, version 2.0 Unified EFI Forum

GPT Overview BlockDescription 0Protective MBR 1Partition Table Header (primary) 2 thru 2 + b – 1Partition Entry Array (primary) 2+b thru n-2-bPartition Data n-2-b+1 thru n-2Partition Entry Array (backup) N-1Partition Table Header

GPT Overview Protective MBR  Defines a single partition entry of type 0xEE  Covers entire area of disk  Designed to prevent legacy programs from accidentally modifying a GPT disk

GPT Overview Partition Table Header  Defines various aspects of a disk: GUID to uniquely identify disk starting block of partition entry array size of each partition entry

GPT Overview Partition Entry Array  Defines a partition or is all zero when entry is not used.  Stored in a contiguous array on disk

GPT Overview Partition Entry  Contains GUID to identify partition  GUID for partition type  start block  end block  partition name (Notice: GPT is little-endian)

GPT Overview