Hard Disk Partitions refers to the creation of logical drives for effective memory management and a partition is the logical drive for storing the data. Hidden partition created on a drive can hide the data. The inter-partition gap is the space between the primary partition and the secondary partition. If the inter-partition drive contains the hidden data, use disk editor utilities like Disk Editor to change the information in the partition table. Doing so will remove all the references to the hidden partition, which have been hiding it from the operating system. Another way of hiding the data is to place the digital evidence at the end of the disk by declaring a smaller number of bytes than the actual size of the drive. Disk Editor allows investigator to access these hidden or vacant areas of the disk.
The partitions are of two types:
- Primary partition: it is the drive that holds the information regarding the operating system, system area, and other information required for booting. In MS-DOS and earlier versions of Microsoft Windows systems, the first partition (C:) must be a “primary partition,”
- Extended partition: It is the logical drive that holds the information regarding the data and files that are stored in the disk. Various tools are available for examining the disk partitions. A few of the disk editor tools are Disk Edit WinHex, and Hex Workshop. These tools can help users to view the file headers and important information about the file. Both require analyzing the hexadecimal codes that an operating system identifies and uses to maintain the file system.
BIOS Parameter Block (BPB)
The BPB is data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume. It describes the volume partition on partitioned devices such as hard disks, whereas on the un-partitioned devices it describes the entire medium. Any partition that includes the floppy disks can use BPB, which would also describe the basic file system architecture. The length of BPB varies across the listed file systems listed (i.e. FAT16, FAT32, and NTFS) due to the volume of the data it contains and also due to the types of fields present.
Master Boot Record (MBR)
Master Boot Record (MBR) refers to a hard disk’s first sector or sector zero that specifies the location of an operating system for the system to load into the main storage. Also called as, partition sector or master partition table contains a table, which locates partitioned disk data. A program in the record loads the rest of the OS into the RAM.
Information about various files present on the disk, their location, and size is the Master Boot Record file. In practice, MBR almost always refers to the 512-byte boot sector or partition sector of a disk. FDISK/MBR commands help in creating MBR in Windows and DOS operating systems. When a computer starts and boots, the B105 refers this first sector for the boot process instructions and information about how to load the operating system.
Related Product : Computer Hacking Forensic Investigator | CHFI
The master boot record consists of the structures as mentioned below:
1. Partition Table
Partition table is a 64-byte data structure storing information about the type of partitions present on the hard disk and their location. This table has a standard layout that does not depend on the operating system. The table is capable of describing only four partitions, which are primary or physical partitions. All other partitions are logical partitions linked to one of the primary partitions.
2. Master Boot Code
A small part of the computer code, which the system loads into the BIOS and executes to initiate the system’s boot process. After execution, the system transfers the controls to the boot program present on the active partition to load the operating system.
The master boot code implements the following functions:
- Examines the partition table to find the active partition
- Locates the first sector of the active partition
- Loads a boot sector copy from the active partition into memory
- Transfers control to the executable code in the boot sector
3. Structure of a Master Boot Record
The systems, working with Windows and DOS operating systems, use the MBR file to hold the information regarding the files on the disk. Many products replace the MBR file, provided by the Microsoft operating system. A few third-party utility tools help while installing two or more operating systems on the disk.
Investigators require many data acquisition tools for forensic investigation as one vendor product may not be reliable for computer forensic tasks.
4. Backing up the MBR
In UNIX/Linux, dd helps to create backup and restore the MBR.
Back up the MBR
dd if=/dev/xxx of=mbr.backupbs=512 count=1
Restore the MBR
dd if=mbr.hackup of=/dev/xxx bs=512 count=1
Globally Unique Identifier (GUID)
Globally Unique Identifier is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, a database entry, and/or the user, For example, while browsing a website generates a GUID and assigns to the browser, which will help in tracking and recording the user’s browsing session. The Windows OS assigns a GUID to the registry in order to recognize COM DLLs (Dynamic Link Library) as well as to the user accounts by a username (domain).
Also Read : Understanding Bit, Nibble and Byte
GUID Partition Table (GPT)
GUID is a standard partitioning scheme for hard disks and part of the Unified Extensible Firmware interface (UEFI), which replaces legacy BIOS firmware interfaces. UEFI uses partition interfacing systems that overcome the limitations of the MBR partitioning scheme.
MBR partition scheme uses 32 bits for storing LBA (Logical Block Addresses) and the size information on 512-byte sector. In GPT, each logical block is 512 bytes and each partition entry is 128 bytes, and the negative addressing of the logical blocks starts from the end of the volume with -1 as the last addressable block. GPTs use logical block addressing (LBA) instead of the cylinder-head-sector (CH) addressing similar to the modern MBRs. LBA 0 stores the protective MBR, LBA 1 contains the GPT header, and the GPT header comprises a pointer to the partition table or Partition Entry Array at LBA 2.
The UEFI assigns 16,384 bytes for the Partition Entry Array. Since the disk has 512-byte sectors with a partition entry array of 16,384 bytes and the minimum size of 128 bytes for each partition entry, LBA 34 will be the first usable sector.
Hard Disk : The part of computer that stops working when you spill beer on it. -Dave Barry
Advantages of GPT disk layout
- GPT allows users to partition disks larger than 2 terabytes
- It allows users to have 128 partitions in Windows using GPT partition layout
- PT partition and boot data is more secure than MBR, as GPT stores data in multiple locations across the disk
- It uses Cyclic Redundancy Check (CRC) to ensure data integrity
- Uses CRC32 checksums that detect errors in the header and partition table
GUID Partition Table (GPT) (Cont’d)
1. Protective MBR
Protective MBR occupies the first position of the GPT at Logical Block Address (LBA) 0. It helps the legacy issues to solve compatibility issues when they fail to understand the GPT format. It stores the startup code for the operating systems that support GPT boot disk. It will make sure that the operating systems, which are unable to identify the GPT disk, will mark it as unknown, and cannot delete without user command. Additionally, the operating systems identifying the GPT partition table will also check the protective MBR before while starting the operations.
Being similar to the legacy MBR in functionality, the main difference is that the protective MBR has only one partition of type 0xEE (EFI_GPT_DISK). If the partition is not of 0xEE type or the MBR partition table consists of multiple entries, the MBR will not operate.
GPT header represents the formal beginning of the partition table, the first accessible disk space, and structure of the partition table.
A hard disk running Windows 64 bit operating system can have up to 128 partitions with a size of 128 bytes each, Partition table header stores the disk details such as partition ID of GPT disk, the partition table header size and location, backup partition table header, position and size of the partition table,
Additionally, it stores the partition table CRC32, which is cyclic redundancy check or an error-detecting code used to detect accidental changes. The checking mechanism helps boot program, firmware, and the operating system to detect the error in a partition table. If any error occurs in the primary GPT, the users can recover the hard disk partitions from the secondary GPT, but the error in backup GPT parity can make the hard disk inaccessible.
Partition entry array is present next to the GPT header and uses 128 byte blocks per entry, of which the first 16 bytes of each block represent the partition type GUID. The next 16 bytes contain GUID specific to the partition block. Because of the unique nature of the GUID, there is no requirement for a central registry for the GUID partition type designator.
It is not necessary for each sector to be restricted to 512 bytes, (i.e. 3 primary partitions and 1 extended partition) it can have more than four partition entries in a single sector. The GPT specification describes the size and organization of the data structure on the whole keeping aside LBA 0 and LBA 1), but not counts the number of sectors stored on the disk.
Questions related to this topic
- How many partitions are possible on a drive with MBR?
- What are the two types of MBR partitions?
- What is MBR disk partition?
- Why is MBR limited to 2tb?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
