Beruflich Dokumente
Kultur Dokumente
GPT Disks
1. Introduction
4. Forensic Analysis of
GPT Disk
5. Conclusion
Section 1
Introduction
Background
MBR
Designed and developed in 1980s
Storage Requirements were not so high
Security was not under consideration
Design was improved with the passage of time to accommodate
storage requirements but security aspects were never considered
GPT
Addresses Storage requirements
Security requirements
MBR
MBR
Storage
Cannot address disk space larger than 2 TB
232 𝑥 512 = 2 𝑇𝐵
Security
Cannot detect tempering to partition tables
Section 2
Features of GPT
GPT Features
Storage capacity
Redundancy
Security
There is a back copy of GPT header and Partition table in the last sectors of the
disk. If header or partition table gets damaged or corrupted OS can fetch the
information from the backup copy.
Security
GPT does not allow hidden sectors. First partition starts right after the
partition table.
Section 3
Layout of GPT
Layout of GPT Header
Layout of GPT Header
Protective MBR
To prevent older software tools and utilities from accidentally destroying GUID
partitions, the Protective MBR was created.
If a tool doesn't support or recognize GPT, it will at least think that the entire disk is in
use by another(possibly unknown) partition.
The protective MBR type is 0xEE and defines a 'placeholder' partition spanning the
entire disk.
Description
GPT Header
Layout of
Signat ure Va l u e
S i ze o f G P T H e a d e r in B y t e s
CRC32 checksum of G PT header
Reserved
L B A of C u r r e n t G P T H e a d e r
L B A of t h e B a c ku p G P T H e a d e r
L B A of S ta r t o f Pa r t i t i o n A r e a
L B A of E n d o f Pa r t i t i o n A r e a
Disk GUI D
L B A o f t h e S t a r t o f t h e Pa r t i t i o n Ta b l e
N u m b e r o f E n t r i e s i n Pa r t i t i o n Ta b l e
S i ze o f e a c h E n t r y i n Pa r t i t i o n Ta b l e
C R C 3 2 C h e c k s u m o f Pa r t i t i o n
Ta b l e
Reserved
Layout of Partition Table
Layout of Partition Table
Layout of Partition Table
The 64-bit attribute field is divided into three parts.
The lowest bit is set to 1 when the system cannot function without this partition. This is
used to determine if a user is allowed to delete a partition.
Bits 48–63 can store any data that the specific partition type wants. Each partition
type can use these values as they like.
Section 4
GPT does not allow hidden sectors like MBR does but there are places in GPT disk
where one can hide data. GPT reserves 32 MB space for MS Reserved partition. One
can hide data in these 32 MB as OS does not load this partition for the user. This space
is 128 MB in disks larger than 16 GB which mostly are these days. Another partition
where one can hide data is partition gap. Partition gap is 47 KB in disks smaller than 16
GB and 1 MB in disks larger than 16 GB. The unused portions of sector 0, sector 1, and
any of the unused partition entries could be used to hide data.
One can also hide data in Start Sector which is 17 KB. Free space from this 47 KB will
only be available when there are less than 128 partitions
Data Hidings
Conversion between GPT and MBR is possible. Windows does not allow conversion if
there is data in any of the partition. Conversion can be performed after emptying the
partition which means that lossless conversion is not possible using Windows utilities.
There are third party software available which can perform conversion without losing
data and AOMEI Partition Assistant is one of them.
When MBR is converted to GPT the MBR partition table is replaced with GPT
protective MBR and GPT headers, partition tables are created according to GPT
partitioning scheme. If there are more Extended Partitions in MBR all partitions will be
converted to primary partitions as there is no concept of extended partitions in GPT.
Conversion Between MBR and GPT
When GPT is converted to MBR the protective MBR is replaced with MBR’s typical
sector zero containing boot code and partition tables. GPT headers will remain
intact but partition tables will be destroyed. If there are more than four partitions
then GPT to MBR conversion is not possible because there cannot be more than
four primary partitions in MBR.
Comparison Between MBR & GPT
Number Feature MBR GPT
GPT is introduced to address the storage capacity and security issues of MBR.
GPT has many advantages on MBR which have been discussed in detail. GPT is yet
not as common as it should be, it is because it is not as much compatible as MBR
when it comes to booting from the partition. To boot from GPT partitions the system
must support UEFI, Windows allow only 64bit OS to boot from GPT. GPT does not
allow hidden partitions but it provides some space under MS Reserved partition and
partition gap where data can be hidden. The main features of GPT is its storage
capacity and integrity protection. Forensic software were designed for MBR disks,
they do work with GPT but not intelligently. Forensic software need up gradation so
that they can also detect the violation of integrity and other changes made to
GPT disks.