2015/01/21

Bit-Level Forensics: Partitions and VBRs

by DFIRninja
Categories: Analysis, Host Forensics
Tags: , , ,
Comments: Leave a Comment

:Partitions and VBRs:

Partitioning is an important part of hard drives. Partitioning is the dividing of the hard disk into multiple sections. The primary partition is used by the OS, and then you can also have extended partitions. There are 16 bytes that make up a partition entry and are made up of a combination of physical and logical information about the partition. There are three key areas to a partition: 1) the partition type, 2) the logical start of the partition as an offset in sectors, and 3) the length of the partition in sectors.

There is a great tool offered from the Sleuthkit used to identify the partitions of a hard disk called mmls. Mmls will read the primary and extended partition tables and sort and list the partitions. Below is a sample output from the mmls tool:

Screen Shot 2014-11-14 at 10.34.20 AM

 

As mentioned before, there are 16 bytes that make up a partition entry. It is important to know where to find this information, how many bytes each piece is, and what they are used to describe. Below is an example partition image (in hex) and a chart that lists the decimal offset, length in bytes, and content.

hex

 

yep

Different operating systems will have a different partition partition layouts. A Windows 7 partition starts at sector 2048. Sectors 0-2048 is the Master Boot Record (MBR) table. The first partition is the System partition. The second partition is most likely the C:\ partition. The Windows XP partition starts at sector 63. Sectors 0-63 is the MBR partition table. Why does the Windows XP operating system partition start at sector 63? That is one track in on a physical disk image.

 

In order to be able to identify the different partition types, you need to know the hex values for each. Below is a list of some common partition types:

list

There can be multiple partitions within your hard disk. Below is a layout of a partition table:

  • First Partition     –> offset 0x1BE or byte offset 446
  • Second Partition –> offset 0x1CE or byte offset 462
  • Third Partition     –> offset 0x1DE or byte offset 478
  • Fourth Partition –> offset 0x1EE or byte offset 494

Each partition table, whether it is the primary table or an extended table, will ALWAYS end with the hexadecimal value 0x55 and 0xAA.

 

Based off the above information below are a couple scenarios to test your knowledge.

Scenario 1: What is the third primary partition type?

1

Answer: NTFS. The third primary partition entry starts at the hexadecimal offset 0xDE (478). Inside that entry, the partition type will be stored at offset 0x4, that is 0xE2 (482) with a 1 byte length. Analyzing the partition entry information, the hex value 0x07 is stored as the primary partition type, which is NTFS.

 

Scenario 2: When you try to mount it to the system, the process fails. The error message states “Disk /dev/sdc does not contain a valid partition table”. Why is it failing?

2

Answer: The partition table ending marker is missing. The ending of any primary or extended partition table will always be marked with the same two bytes, hex value 0x55 and 0xAA.

 

Within the partition, you will have what is called the Volume Boot Sector. The boot sector, located at sector 1 of each volume, is a critical disk structure for starting your computer. It holds executable code and data required by the code, including information that the file system uses to access the volume. Below is the layout of an NTFS Volume Boot Record:

vbr

Some of the bigger things we will focus on here are the OEM signature and the Media Descriptor. The OEM Signature is located at offset 0x04 and is 8 bytes long. It will contain the information pertaining to what file system is in use. The Media Descriptor is located at offset 0x15 and is one byte in length. It will tell you what type of media is being used (fixed disk, floppy drive, etc).

 

Scenario 3: Based on the partial NFTS boot sector, what type of media is being used?

  • 5-inch floppy drive
  • Fixed disk
  • USB drive
  • CDROM

3

Answer: The Media Descriptor value field is located at byte offset 0x15 in the NTFS boot sector. A value of 0xF8 indicates a fixed disk and 0xF0 indicates a high density 3.5-inch floppy drive.

 

As you can see, all the above information will be extremely useful in identifying different attributes related to a hard drive. In the case that you are just handed a hard drive and are told to investigate it, you will now have the knowledge to identify the different partitions, the type of media it is, and a wealth of other information.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22