Disk Partition Analysis

 Disk Partition Analysis (DOS Partition)


In this post we will briefly go through the process of understanding the disk partition scheme and how we can parse information out of it. The first thing we need is partition table. We can obtain partition table (MBR information) from the starting 512 byte section of the disk or we can search for sector ending with 0x55AA.

We can obtain the partition table sector through multiple process, however the following process is demonstrated using 'dd'.



Let's have a look inside -



This section contain three important information- bootstrap code area (assembly boot code), partition table and boot signature. The MBR layout is shown in table below.



Partition table value lie between 0x1BE to 0x1FD containing entries of multiple partitions (16-Bytes each) as shown below:

From the above details we can analyse our partition, lets consider entries for 2 primary partitions-

8004 0104 83FE C2FF 0008 0000 0070 E109

00FE C2FF 05FE C2FF FE7F E109 0278 1E00

(These values are stored in little endian format so we have to rearrange each field value as shown here. You can also refer our previous blog to get insight into little endian).

        09E1 7000 0000 0800 FFC2 FE83 0401 0480 
      001E 7802 09E1 7FFE FFC2 FE05 FFC2 FE00

 

The data structure for each partition entry can further be categorized as -

We can analyse our partition based upon the above details - (first primary partition)

1) Boot indicator = 0x80 (means this partition has boot partition)

2) Starting CHS value = 0x040104 (partition starting CHS address)

3) Partition type = 0x83 (corresponds to Linux data partition)

4) Ending CHS value = 0xFFC2FE (partition ending CHS address)

5) Starting Sector =0x 00000800 sectors
(00000800)16 = (2048)10

6) Partition size = 0x09E17000 sectors
(09e17000)16 = (165769216)10


The details can be verified using "mmls" utility w.r.t the considered partition as shown below (entry 002) of partition table-



(Similarly for the considered second partition table entry 004)
001E 7802 09E1 7FFE FFC2 FE05 FFC2 FE00
1) Boot indicator = 0x00 (Empty, didn't have boot partition)

2) Starting CHS value = 0xFFC2FE

3) Partition type = 0x05 (Depicts Extended Partition)

4) Ending CHS value = 0xFFC2FE

5) Starting Sector = 0x09E17FFE sector
(09E17FFE)16 = (165773310)10

6) Partition size = 0x001E7802 sectors
(001e7802)16 = (1996802)10


Above discussed partition Scheme can be summarised by this diagram -


This is the basic overview of how can we locate each partition of disk and in turn locate or image the required partition.

Reference:

1. Carrier, Brian. File system forensic analysis. Addison-Wesley Professional, 2005.


Credits - 

Dr. Nitesh K Bhardwaj
Faculty, Dept. CSE, IIIT Bhopal

Mr. Punit Choudhary 
4th year student, IIIT Bhopal (Branch -IT)

Mr. Madhur Aswani
4th year student, IIIT Bhopal (Branch -IT)

Comments

Post a Comment

Popular posts from this blog

Analysis of Volatile Memory(RAM) Using Volatility3

Image
  Introduction: Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research. Downloading and Installation: Requirements: Python 3.5.3 or higher Pefile 2017.8.1 or later. Download volatility from   here  or run the following command in command line to clone the repository. git clone https://github.com/volatilityfoundation/volatility3.git RAM Image Creation: To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from here . Also, we can use ftkimager to create a memory dump, which can be downloaded from  here . To create the image using ftkima
Read more

$Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)

Image
  Forensic Insight into Windows 10 $Recycle.Bin  In Windows 10, the deleted files are temporarily located in  "C:\$Recycle.Bin>",  a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows: $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name). $R – Contains the actual contents of the file. The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting  into a 8–character file name. The system creates SID based folders corresponding to each user account.   In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SID sub-folders.  Let’s
Read more

Usefulness of Epoch in Digital Forensics Investigation (UNIX and MacOS perspective)

Image
 Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date of each system i
Read more