Sie sind auf Seite 1von 39

Volume Analysis Intro

Chapter 4, Carrier
1. Volume structure
2. Volume analysis
3. Volume recovery

http://blogs.sans.org/computer-forensics/2010/07/28/windows-7-mbr-advanced-format-drivese512/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr-advanced-formatdrives-e512st.txt

Nomenclature

Windows

Partitions are referred to as Volumes

The rest of the world

Partitions are referred to as partitions

Volume is a physical drive

VG Volume Group is a logical grouping of


partitions managed by the LVM

Volume Functions

A volume is a collection of addressable sectors that


can be used for storage
Assemble multiple storage volumes into one.
Partition a storage volume into independent
partitions

Partitions, Named Volumes


Windows Example
Hard Disk Volume
Partition 1

C: Volume

Partition 2

D: Volume

Partition 3

E: Volume
Thanks to Priscilla
Source: B. Carrier

Partitions

A partition is a collection of consecutive sectors in a


volume

A partition is also a volume


A partition's parent volume is the volume in
which the partition is located

Partition Systems

Structure of partition system is OS dependent

Independent of the disk/interface

Most volumes have a partition table

Each entry describes the location, size and type of partition


Usually there is nothing that distinguishes the beginning or end of
a partition
If the volume is one partition, the partition table is often missing.

Generic Partition Table


Ending
Sector

File
System
Type

99

FAT

100

249

NTFS

300

599

NTFS

Starting
Sector

Volume Assembly

Some OS's force each device/disk to be a volume

Windows and DOS

Some of the more robust OS's use volume assembly to make


many/all disks look like one volume.

Unix and derivations

Windows Mount Points


C:

Volume 1

\Program Files\
\Windows\

D:

E:

CD-ROM

Volume 2

\Torture Office\

Unix Mount Points

Volume 1

/etc/
/mnt/cdrom/

CD-ROM

/tmp/
/usr/

Volume 2

Sector Addressing

LBA Logical Block Address is a physical sector


address beginning at 0 which is the first sector of the
disk.
LVA Logical Volume Address is the address of a
sector relative to the start of its volume.

Distinguish between disk and partition


Logical disk volume address

Logical partition volume address

Addressing Terminology
Partition 1 Starting
Address: 0

Physical address: 100


Logical Disk Volume Address: 100
Logical Volume Part. Address: 100

Partition 2
Starting
Address: 864

Physical address: 964


Logical Disk Volume Address: 964
Logical Volume Part. Address: 100

Physical address: 569


Logical Disk Volume Address: 569
Logical Volume Part. Address: N/A

Volume Analysis
Partition layout of the volume is important
Consistency
Corruption
Unallocated space
Evidence
Recovery

Techniques
Data in a partition is likely to be a file system.
Data in sectors not in a partition is likely to be data
left over from a previous life
Using dd we can create a file for each partition
Using dd we can also create files of consecutive
unallocated sectors

Consistency Checks
Consecutive collections of sectors, utilizing the entire
disk/device
Consecutive collections of sectors, not utilizing the
entire disk/device
Over lapping collections of sectors
Missing partition tables or corrupted tables,
intentional or accidental

DOS Partitions

MBR is the first 512-byte sector

Boot code (Bytes 0-445)

Partition table (bytes 446-509)

Signature (bytes 510-511, value =


0xAA55)

Partition table has four entries

DOS Disk

Partition 1

Partition Table

Partition 2

Extended Partitions

Partition 1

Partition 2

Partition Table

First Extended Partition is always number 5.

Extended Partition

Extended Partitions
Partition

Partition

Extended Partition

Partition

Extended Partition

Partition

Extended Partition

Partition

Master Boot Sector/Record

First sector of the device

Contains boot code

Contains the partition table

Last byte is 0x55AA

MBS Structure
000

1BD

Boot code Master Boot Record, MBR

1BE

1CD

1st Partition Entry

1CE

1DD

2nd Partition Entry

1DE

1ED

3st Partition Entry

1EE

1FD

4st Partition Entry

1FE

1FF

Signature value = 0x55 aa

Partition Table

Four 16-byte Entries

Each entry describes a partition

Bootable flag (0x80 means bootable)

Starting CHS address

Partition type

Ending CHS address

Starting LBA address

Size (number of sectors in partition)

Partition Entry Structure


00

00

Bootable flag: 0x80 bootable, 0x00 not bootable

01

03

Starting CHS Address (C, H, S)

04

04

Partition type 0x83 = linux, 0x82 = swap

05

07

Ending CHS Address

08

0B

Starting LBA Address

0C

0F

Size in Sectors

Empty

1e

Hidden W95 FAT1 80

Old Minix

FAT12

24

NEC DOS

81

Minix / old Lin bf

Solaris

XENIX root

39

Plan 9

82

Linux swap / So c1

DRDOS/sec (FAT-

XENIX usr

3c

PartitionMagic

83

Linux

c4

DRDOS/sec (FAT-

FAT16 <32M

40

Venix 80286

84

OS/2 hidden C:

c6

DRDOS/sec (FAT-

Extended

41

PPC PReP Boot

85

Linux extended

c7

Syrinx

FAT16

42

SFS

86

NTFS volume set da

Non-FS data

HPFS/NTFS

4d

QNX4.x

87

NTFS volume set db

CP/M / CTOS / .

AIX

4e

QNX4.x 2nd part 88

Linux plaintext de

Dell Utility

AIX bootable

4f

QNX4.x 3rd part 8e

Linux LVM

df

BootIt

OS/2 Boot Manag 50

OnTrack DM

Amoeba

e1

DOS access

W95 FAT32

OnTrack DM6 Aux 94

Amoeba BBT

e3

DOS R/O

W95 FAT32 (LBA) 52

CP/M

BSD/OS

e4

SpeedStor

W95 FAT16 (LBA) 53

OnTrack DM6 Aux a0

IBM Thinkpad hi eb

BeOS fs

W95 Ext'd (LBA) 54

OnTrackDM6

a5

FreeBSD

ee

EFI GPT

10

OPUS

55

EZ-Drive

a6

OpenBSD

ef

EFI (FAT-12/16/

11

Hidden FAT12

56

Golden Bow

a7

NeXTSTEP

f0

Linux/PA-RISC b

12

Compaq diagnost 5c

Priam Edisk

a8

Darwin UFS

f1

SpeedStor

14

Hidden FAT16 <3 61

SpeedStor

a9

NetBSD

f4

SpeedStor

16

Hidden FAT16

GNU HURD or Sys ab

Darwin boot

f2

DOS secondary

17

Hidden HPFS/NTF 64

Novell Netware

b7

BSDI fs

fd

Linux raid auto

18

AST SmartSleep

Novell Netware

b8

BSDI swap

fe

LANstep

1b

Hidden W95 FAT3 70

DiskSecure Mult bb

1c

Hidden W95 FAT3 75

PC/IX

51

63

65

93

9f

be

Boot Wizard hid ff

Solaris boot

BBT

Partition Types

Decoding Partition Tables


Gotchas

Decimal or Hex?

Little Endian or Big Endian?

Output to text? How do you get the text


back to the lab for analysis?
Output to file? Where will you put it?
Dont write to suspects HD!

The Whole MBR


>fdisk/dev/hda
>x
>d
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
00000e0:
00000f0:
0000100:
0000110:
0000120:
0000130:
0000140:
0000150:
0000160:
0000170:
0000180:
0000190:
00001a0:
00001b0:
00001c0:
00001d0:
00001e0:
00001f0:

eb48
0000
0001
22c0
8000
7c00
3cff
7454
aa75
8b4c
0410
7066
05bb
84f0
88f0
88f4
66a1
66f7
540d
8a74
2a8c
31ff
00eb
00be
656f
6164
10ac
0000
0100
010d
ffff
ffff

906c
0000
f122
0001
0080
0031
7402
b441
43a0
10be
00c7
31c0
0070
00e9
4066
4089
447c
7404
c0e2
0bbb
c38e
fcf3
0ebe
937d
6d00
0020
3c00
0000
83fe
83fe
82fe
83fe

6261
f468
c000
be22
5194
c08e
88c2
bbaa
417c
057c
4402
8944
eb7d
8d00
8944
4408
6631
8854
068a
0070
0648
a51f
847d
e82a
4861
4572
75f4
0000
3f0c
ffff
ffff
ffff

4c49
743d
0101
c000
0000
d88e
52be
55cd
84c0
c644
0100
0466
b408
be05
0431
31c0
d266
0b89
4c0a
8ec3
7c60
61ff
e838
00eb
7264
726f
c300
0000
3f00
cd2f
45e1
0403

4c4f
f222
445a
01bf
0008
d0bc
797d
135a
7505
ff01
6689
8944
cd13
7cc6
d288
88d0
f734
440c
fec1
31db
1eb9
2642
00eb
fe47
2044
7200
0000
0100
0000
0300
d701
f701

0100
c000
f522
22c0
fa80
0020
e834
5272
83e1
668b
5c08
0cb4
730a
44ff
cac1
c0e8
8854
3b44
08d1
b801
0001
7cbe
06be
5255
6973
bb01
0000
0000
8e2f
78b1
bf21
fc4f

1504
01f3
c000
0001
ca80
fba0
01f6
4981
0174
1e44
c744
42cd
f6c2
0066
e202
0266
0a66
087d
8a6c
02cd
8edb
7f7d
8e7d
4220
6b00
00b4
0000
0000
0300
d401
1f00
b102

5a00
22c0
01f6
0302
ea53
407c
c280
fb55
3766
7cc7
0600
1372
800f
31c0
88e8
8904
31d2
3c8a
0c5a
1372
31f6
e840
e830
0047
5265
0ecd
0000
8001
0000
00fe
00fe
55aa

.H.lbaLILO....Z.
.....ht=."....".
..."....DZ."....
"...."....".....
....Q..........S
|..1....... ..@|
<.t...R.y}.4....
tT.A..U..ZRrI..U
.uC.A|..u....t7f
.L...|.D..f..D|.
....D...f.\..D..
pf1..D.f.D..B..r
...p.}....s.....
........|.D..f1.
..@f.D.1........
..@.D.1......f..
f.D|f1.f.4.T.f1.
f.t..T..D.;D.}<.
T.....L......l.Z
.t...p..1......r
*....H|`......1.
1.....a.&B|..}.@
.....}.8.....}.0
...}.*...GRUB .G
eom.Hard Disk.Re
ad. Error.......
..<.u...........
................
....?.?..../....
......./..x.....
......E....!....
...........O..U.

Use Unix/Linux dd Utility to View


Partition Table

dd if=/dev/hda bs=512 count=1 | xxd

Partition table starts at 446 decimal = 0x1be

0000000: eb48 9010 8ed0 bc00 b0b8 0000 8ed8 8ec0

.H..............

{skip}
00001b0: 0000 0000 0000 0000 786b 786b 0000 8001

........xkxk....

00001c0: 0100 0cfe fffe 3f00 0000 82c8 7302 0000

......?.....s...

00001d0: 8101 82fe bf40 c1c8 7302 40b0 0f00 0000

.....@..s.@.....

00001e0: 8141 83fe ff00 0179 8302 c018 2502 0000

.A.....y....%...

00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa

..............U.

Partition Table Entries


Try Decoding It By Hand
#

1
2
3
4

Flag

Type

Starting LBA Address

Size

Little Endian

Partition Table Entries


#

Flag

Type

Starting LBA Address

Size

0x80

0x0C

0x0000003F

0x0273C882

0x00

0x82

0x0273C8C1

0x000FB040

0x00

0x83

0x02837901

0x022518C0

0x00

0x00

0x00000000

0x00000000

Partition Table Entries


#

Flag

Type

Starting LBA Address

0x80

0x0C

0x0000003F

Bootable

0x00

0x83

0x02837901

0x022518C0

0x00

0x00

0x00000000

0x00000000

FAT

63

Size

0x0273C882
~21 GB

Partition Table in English

Partition 1

Bootable (0x80 at byte 0)

Type is Fat32 (0x0C at byte 4)

It starts at sector 3F, LBA (63 in decimal)

Its size is 0x0273C882 sectors

About 41 million sectors in decimal

41M x 512 bytes = 20,992,000,000 = ~21 GB

Partition Table in English (cont.)

Partition 2

Not bootable (0x00 at byte 0)

Type is Linux Swap (0x82 at byte 4)

It starts at sector 41,142,465 in decimal

Its size is 0x000FB040 sectors

About 1 million sectors in decimal

1M x 512 bytes = 512,000,000 = ~.5 GB

Partition Table in English (cont.)

Partition 3

Not bootable (0x00 in byte 0)

Type is Linux (0x83 at byte 4)

It starts at sector 42170625 in decimal

Its size is 0x022518C0 sectors

About 36 million sectors in decimal

36M x 512 bytes = 18,432,000,000 = ~18.5 GB

Partition Types Info


http://www.win.tue.nl/~aeb/partitions/partition_types-1.html

Real Example

FAT 32 thumb drive, .5 Gb

Windows MBR
Boot flag
Type

C, H, S

Start LBA

Size (sectors)

A cautionary tale:
Little Endian!

Use fdisk to View Table


root@ttyp0[knoppix]# fdisk /dev/hda
Command (m for help): p
Disk /dev/hda: 255 heads, 63 sectors, 4865 cylinders

Nr AF

Hd Sec

Cyl

Hd Sec

Cyl

Size ID

1 80

0 254

2 00

513 254

63

576 41142465

3 00

577 254

63

768 42170625 35985600 83

4 00

63 1022

Start

63 41142402 0c

1028160 82

0 00

Extracting Partition Table


fdisk Linux and DOS, Windows
>fdisk /dev/hda
>p
Disk /dev/hda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot
/dev/hda1
*
/dev/hda2
/dev/hda3

Start
1
14
1926

End
13
1925
2052

Blocks
104391
15358140
1020127+

Id
83
83
82

>x
>p
Disk /dev/hda: 255 heads, 63 sectors, 4864 cylinders

System
Linux
Linux
Linux swap

Nr
1
2
3
4

AF Hd Sec Cyl Hd Sec Cyl


80
1
1
0 254 63
12
00
0
1
13 254 63 1023
00 254 63 1023 254 63 1023
00
0
0
0
0
0
0

Start
63
208845
30925125
0

Size ID
208782 83
30716280 83
2040255 82
0 00

Lab

Image the MBR of the RED USB drive


in the lab

Show why it is a MBR

Decode the partition table