Beruflich Dokumente
Kultur Dokumente
Chapter 4, Carrier
1. Volume structure
2. Volume analysis
3. Volume recovery
http://blogs.sans.org/computer-forensics/2010/07/28/windows-7-mbr-advanced-format-drivese512/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr-advanced-formatdrives-e512st.txt
Nomenclature
Windows
Volume Functions
C: Volume
Partition 2
D: Volume
Partition 3
E: Volume
Thanks to Priscilla
Source: B. Carrier
Partitions
Partition Systems
File
System
Type
99
FAT
100
249
NTFS
300
599
NTFS
Starting
Sector
Volume Assembly
Volume 1
\Program Files\
\Windows\
D:
E:
CD-ROM
Volume 2
\Torture Office\
Volume 1
/etc/
/mnt/cdrom/
CD-ROM
/tmp/
/usr/
Volume 2
Sector Addressing
Addressing Terminology
Partition 1 Starting
Address: 0
Partition 2
Starting
Address: 864
Volume Analysis
Partition layout of the volume is important
Consistency
Corruption
Unallocated space
Evidence
Recovery
Techniques
Data in a partition is likely to be a file system.
Data in sectors not in a partition is likely to be data
left over from a previous life
Using dd we can create a file for each partition
Using dd we can also create files of consecutive
unallocated sectors
Consistency Checks
Consecutive collections of sectors, utilizing the entire
disk/device
Consecutive collections of sectors, not utilizing the
entire disk/device
Over lapping collections of sectors
Missing partition tables or corrupted tables,
intentional or accidental
DOS Partitions
DOS Disk
Partition 1
Partition Table
Partition 2
Extended Partitions
Partition 1
Partition 2
Partition Table
Extended Partition
Extended Partitions
Partition
Partition
Extended Partition
Partition
Extended Partition
Partition
Extended Partition
Partition
MBS Structure
000
1BD
1BE
1CD
1CE
1DD
1DE
1ED
1EE
1FD
1FE
1FF
Partition Table
Partition type
00
01
03
04
04
05
07
08
0B
0C
0F
Size in Sectors
Empty
1e
Old Minix
FAT12
24
NEC DOS
81
Solaris
XENIX root
39
Plan 9
82
Linux swap / So c1
DRDOS/sec (FAT-
XENIX usr
3c
PartitionMagic
83
Linux
c4
DRDOS/sec (FAT-
FAT16 <32M
40
Venix 80286
84
OS/2 hidden C:
c6
DRDOS/sec (FAT-
Extended
41
85
Linux extended
c7
Syrinx
FAT16
42
SFS
86
Non-FS data
HPFS/NTFS
4d
QNX4.x
87
CP/M / CTOS / .
AIX
4e
Linux plaintext de
Dell Utility
AIX bootable
4f
Linux LVM
df
BootIt
OnTrack DM
Amoeba
e1
DOS access
W95 FAT32
Amoeba BBT
e3
DOS R/O
CP/M
BSD/OS
e4
SpeedStor
IBM Thinkpad hi eb
BeOS fs
OnTrackDM6
a5
FreeBSD
ee
EFI GPT
10
OPUS
55
EZ-Drive
a6
OpenBSD
ef
EFI (FAT-12/16/
11
Hidden FAT12
56
Golden Bow
a7
NeXTSTEP
f0
Linux/PA-RISC b
12
Compaq diagnost 5c
Priam Edisk
a8
Darwin UFS
f1
SpeedStor
14
SpeedStor
a9
NetBSD
f4
SpeedStor
16
Hidden FAT16
Darwin boot
f2
DOS secondary
17
Hidden HPFS/NTF 64
Novell Netware
b7
BSDI fs
fd
18
AST SmartSleep
Novell Netware
b8
BSDI swap
fe
LANstep
1b
DiskSecure Mult bb
1c
PC/IX
51
63
65
93
9f
be
Solaris boot
BBT
Partition Types
Decimal or Hex?
eb48
0000
0001
22c0
8000
7c00
3cff
7454
aa75
8b4c
0410
7066
05bb
84f0
88f0
88f4
66a1
66f7
540d
8a74
2a8c
31ff
00eb
00be
656f
6164
10ac
0000
0100
010d
ffff
ffff
906c
0000
f122
0001
0080
0031
7402
b441
43a0
10be
00c7
31c0
0070
00e9
4066
4089
447c
7404
c0e2
0bbb
c38e
fcf3
0ebe
937d
6d00
0020
3c00
0000
83fe
83fe
82fe
83fe
6261
f468
c000
be22
5194
c08e
88c2
bbaa
417c
057c
4402
8944
eb7d
8d00
8944
4408
6631
8854
068a
0070
0648
a51f
847d
e82a
4861
4572
75f4
0000
3f0c
ffff
ffff
ffff
4c49
743d
0101
c000
0000
d88e
52be
55cd
84c0
c644
0100
0466
b408
be05
0431
31c0
d266
0b89
4c0a
8ec3
7c60
61ff
e838
00eb
7264
726f
c300
0000
3f00
cd2f
45e1
0403
4c4f
f222
445a
01bf
0008
d0bc
797d
135a
7505
ff01
6689
8944
cd13
7cc6
d288
88d0
f734
440c
fec1
31db
1eb9
2642
00eb
fe47
2044
7200
0000
0100
0000
0300
d701
f701
0100
c000
f522
22c0
fa80
0020
e834
5272
83e1
668b
5c08
0cb4
730a
44ff
cac1
c0e8
8854
3b44
08d1
b801
0001
7cbe
06be
5255
6973
bb01
0000
0000
8e2f
78b1
bf21
fc4f
1504
01f3
c000
0001
ca80
fba0
01f6
4981
0174
1e44
c744
42cd
f6c2
0066
e202
0266
0a66
087d
8a6c
02cd
8edb
7f7d
8e7d
4220
6b00
00b4
0000
0000
0300
d401
1f00
b102
5a00
22c0
01f6
0302
ea53
407c
c280
fb55
3766
7cc7
0600
1372
800f
31c0
88e8
8904
31d2
3c8a
0c5a
1372
31f6
e840
e830
0047
5265
0ecd
0000
8001
0000
00fe
00fe
55aa
.H.lbaLILO....Z.
.....ht=."....".
..."....DZ."....
"...."....".....
....Q..........S
|..1....... ..@|
<.t...R.y}.4....
tT.A..U..ZRrI..U
.uC.A|..u....t7f
.L...|.D..f..D|.
....D...f.\..D..
pf1..D.f.D..B..r
...p.}....s.....
........|.D..f1.
..@f.D.1........
..@.D.1......f..
f.D|f1.f.4.T.f1.
f.t..T..D.;D.}<.
T.....L......l.Z
.t...p..1......r
*....H|`......1.
1.....a.&B|..}.@
.....}.8.....}.0
...}.*...GRUB .G
eom.Hard Disk.Re
ad. Error.......
..<.u...........
................
....?.?..../....
......./..x.....
......E....!....
...........O..U.
.H..............
{skip}
00001b0: 0000 0000 0000 0000 786b 786b 0000 8001
........xkxk....
......?.....s...
.....@..s.@.....
.A.....y....%...
..............U.
1
2
3
4
Flag
Type
Size
Little Endian
Flag
Type
Size
0x80
0x0C
0x0000003F
0x0273C882
0x00
0x82
0x0273C8C1
0x000FB040
0x00
0x83
0x02837901
0x022518C0
0x00
0x00
0x00000000
0x00000000
Flag
Type
0x80
0x0C
0x0000003F
Bootable
0x00
0x83
0x02837901
0x022518C0
0x00
0x00
0x00000000
0x00000000
FAT
63
Size
0x0273C882
~21 GB
Partition 1
Partition 2
Partition 3
Real Example
Windows MBR
Boot flag
Type
C, H, S
Start LBA
Size (sectors)
A cautionary tale:
Little Endian!
Nr AF
Hd Sec
Cyl
Hd Sec
Cyl
Size ID
1 80
0 254
2 00
513 254
63
576 41142465
3 00
577 254
63
4 00
63 1022
Start
63 41142402 0c
1028160 82
0 00
Start
1
14
1926
End
13
1925
2052
Blocks
104391
15358140
1020127+
Id
83
83
82
>x
>p
Disk /dev/hda: 255 heads, 63 sectors, 4864 cylinders
System
Linux
Linux
Linux swap
Nr
1
2
3
4
Start
63
208845
30925125
0
Size ID
208782 83
30716280 83
2040255 82
0 00
Lab