Computer Forensics

1
Computer Forensics

• DOS Partitioning

2
Partitioning Practices

• We separate partition practices into those used
  by
• Personal Computers
• DOS
• Apple
• Servers
• Free BSD
• Sun Solaris
• GPT

3
DOS Partitions

• Although there is no standard specification,
  there are several accepted partitioning practices
• Most common type of partitioning system for PCs
  (and servers)
• Microsoft calls disks using this type of
  partitioning system Master Boot Record (MBR)
  disks
• Another type is GUID Partition Table (GPT) used
  by servers

4
Definitions

• Starting with Windows 2000, Microsoft
  differentiates between
• Basic disk MBR or GPT disk on which partitions
  are independent and standalone
• Dynamic disk MBR or GPT on which partitions can
  be combined or merged to form larger partitions
  (e.g. RAID)
• We will focus on Basic disk using MBR

5
DOS Partitions

• MBR is from the first sector on the disk,
  followed by four partition tables
• When there is need for more than 4 partitions,
  one partition may be extended to contain
  secondary partitions
• The extended partition contains a table similar
  to the MBR in its first sector
• Non-extended partition entries have their
  starting sector and size displayed. The ending
  sector address can be calculated
• Starting sector addr sector size - 1

6
Reasons for partitioning

• Allowing users to have more than one operating
  system on a single computer
• Separation of operating system files from user
  files
• Improving performance by breaking up file space
  into smaller units

7
MBR

• MBR resides in front of the first partition
• MBR is the first 512-bytes of the disk
• MBR is in LBA Sector 0
• MBR contains
• Boot code how to process the partition table
  and how to locate the operating system
• Partition table
• Signature
• The MBR contains the Partition Table which has 4
  entries, one for each partition

8
MBR contents

• Byte Description Essential
• 0-445 Boot code no
• 446-461 Entry 1 yes
• 462-477 Entry 2 yes
• 478-493 Entry 3 yes
• 494-509 Entry 4 yes
• 510-511 Signature value 0xAA55 yes

Table 5.1 Carrier
9
Partition Table Entries (Bytes 446-509)

• Each entry in the partition table (16 bytes) has
  the following fields
• Starting CHS address
• Ending CHS address
• Each uses 10-bits for cylinder, 8-bits for head,
  6-bits for sector
• Starting LBA address
• Either CHS or LBA is used, but usually not both
• Number of sectors in partition
• Type of partition FAT, NTFS, etc.
• Flags identify which partition is bootable,
  thus which operating system will be loaded
• Each table entry describes the layout of a
  partition in CHS and LBA addresses
• CHS addresses only work for disks less than 8GB
  (ignored if )
• LBA addresses work for disks that are terabytes
  (TB) in size

10
DOS Partition Table Entries

• Byte Description
• 0 Bootable Flag
• 1-3 Starting CHS Address
• 4 Partition Type
• 5-7 Ending CHS Address
• 8-11 Starting LBA Address
• 12-15 Size in sectors

11
Partition Types

• Type Description
• 0x00 Empty
• 0x01 FAT12
• 0x04 FAT16, 16-32 MB
• 0x06 FAT16, 32 MB 2GB
• ...
• 0xa8 Mac OSX
• ...
• 0xfb VMware File System
• From Table 5.3 Carrier

12
Basic DOS disk
Partition 1
Partition 2
MBR
Figure 5.1 Carrier, simple disk with two
partitions and the MBR
13
Extended Partitions

• If we need more than four partitions, we can use
  extended partitions
• Example we want to divide a 12GB disk into six
  2GB partitions for using multiple operating
  systems
• Use up to 3 partitions normally then create an
  extended partition that can be further subdivided

14
DOS disk partition variations
Primary File System 1
Primary File System 2
Primary File System 3
Primary Extended Partition
MBR
Contains Secondaries...
Figure 5.2 Carrier, DOS disk with three primary
file system partitions and one primary extended
partition
15
Secondary Extended Partitions
Secondary Extended 1
See also Figure 5.4
Secondary File System 1
Secondary Extended 2
Secondary File System 2
Figure 5.3 Carrier
16
Boot Code

• The partition that is to be booted is indicated
  by the bootable flag TRUE
• Standard boot code for a system with only one OS
  is indicated by a flag set to 0x80
• Or the boot code may prompt the user to choose a
  partition for booting

17
Extracting sectors from an actual system

• Using the dd command we can get the first sector
  of the disk
• dd ifdisk3.dd bs512 skip0 count1 xxd

18
MBR from previous dd commandASCII output removed
and stored as little endian with lsb at lowest
address

• 0000000 eb48 9010 8ed0 bc00 b0b8 0000 8ed8
  8ec0
• REMOVED
• 0000384 0048 6172 6420 4469 736b 0052 6561
  6400
• 0000400 2045 7272 6f72 00bb 0100 b40e cd10
  ac3c
• 0000416 0075 f4c3 0000 0000 0000 0000 0000
  0000
• 0000432 0000 0000 0000 0000 0000 0000 0000
  0001
• 0000448 0100 07fe 3f7f 3f00 0000 4160 1f00
  8000
• REMOVED
• 0000496 01cd 05f3 ffff 8d40 3200 79eb 9604
  55aa
• Bytes 0 445 contain boot code. The 0xaa55
  signature is in the last two bytes of the sector.
  The partition table entry for partition 1 is in
  red and shows a partition type of 0x07 and
  starting sector of 63.
• Looking at the output on p. 92, which partition
  is bootable?
• How did we get Figure 5.5?

19
Extended Partition Example

• Look at Figure 5.6
• A primary extended partition starts in sector
  1,000 with a length of 11,000 sectors
• The partition table has two entries
• A FAT file system, starting at relative sector 63
  (actual 1,063) why 63?
• An extended partition, starting at relative
  sector 4,000 (actual 5,000)
• The secondary extended partition contains an NTFS
  file system, starting at sector 63 (actual 5,
  063)
• The second entry is for another extended
  partition, starting at 6,500 (actual 7,500)
• Continue?

20
Continued example

• Contents of the first sector of the primary
  extended partition in sector 3,293,325 (see Table
  5.4)
• dd ifdisk3.dd bs512 skip3293325 count1
  xxd
• REMOVED
• 0000432 0000 0000 0000 0000 0000 0000
  0000 0001
• 0000448 01cd 83fe 7fcb 3f00 0000 0082 3e00
  0000
• 0000464 41cc 05fe bf0b 3f82 3e00 40b0 0f00
  0000
• 0000480 0000 0000 0000 0000 0000 0000 0000
  0000
• 0000496 0100 07fe 3f7f 3f00 0000 4160 1f00
  55aa
• The last two entries are empty. Type is 0x83
  Linux, so it is a secondary file system partition
  and it starts relative to the start of the
  current extended partition ... Table 5.5 is an
  extension of Table 5.4. Calculate the start of
  the DOS extended partition.

21
Tools

• fdisk lists partitions
• mmls marks partitions as unused

22
fdisk

• fdisk lu disk3.dd
• Disk disk3.dd 255 heads, 63 sectors, 0 cylinders
• Units sectors of 1 512 bytes
• Device Boot Start End Blocks Id System
• disk3.dd1 63 2056319 1028128 7 NTFS
• disk3.dd2 2056320 22635164 104422 83 Linux
• disk3.dd3 2265165 3293324 514080 83 Linux
• disk3.dd4 3293325 80292869 38499772 5 Extended
• ...
• This output lists only the primary extended
  partition (disk3.dd4). This is acceptable because
  only primary and secondary file system partitions
  are needed for an investigation. But not all
  entries are shown.

23
mmls

• mmls t dos disk3.dd
• Units are in 512-byte sectors
• Slot Start End Length Description
• 00 ---- 00000 0000000 00001 Table 0
• 01 ---- 00001 0000062 00062 Unallocated
• 02 0000 00063 2056319 big NTFS(0x07)
• 03 0001 2056257 208845 208845 Linux(0x83)
• 04 0002 2265165 3293324 1028160 Linux(0x83)
• 05 0003 ...
• Unused sectors are marked unallocated, partition
  tables are indicated and extended partition
  locations are indicated.
• See pages 98 and 99.

24
Summary

• If we need one to four partitions, we use only
  the MBR to find all partitions
• If we need more than four partitions, we create
  up to 3 of partitions using the MBR and make the
  fourth MBR entry point to the sections that hold
  the remainder
• DOS-based partitions are the most common for
  current computer investigations. They are also
  difficult to understand.
• Tools can help to list the layout of disks and to
  find the used and unused spaces.

25
Removable Media

• Most removable media also have partitions and
  many use the same structures used by hard disks.
• Floppy disks each disk is a single partition
• Thumb drives some contain only one file system,
  but others have partitions
• Zip drives are partitioned
• Flash cards (cameras) many use FAT file systems
  and can be analyzed using normal investigation
  tools
• CD-ROMs most use ISO 9660 format so that
  multiple OSs can read them...complex

26
Chapter 6 Server-based partitions

• BSD (sometimes called Berkeley) UNIX servers use
  their own partitioning system
• FreeBSD (also uses DOS partitioning), OpenBSD,
  NetBSD
• Many use IA32-based hardware (Intels x86/i386)
• It is becoming common to encounter a Linux system
  during an investigation, but Linux uses only the
  DOS-based partitions
• When an operating system runs, it can choose what
  partitions it will give for user access

27
Disk Label

• Central data structure for BSD partition system
  is a disk label
• Located in the second sector of the BSD partition
• At least 276 bytes
• Structure is shown in Table 6.1

28
GPT Partitions

• Systems with 64-bit Intel Itanium processors
  (IA64) do not have a BIOS like IA32 systems
• Instead, they have an Extensible Firmware
  Interface (EFI)
• The EFI uses a partition system called the GUID
  Partition Table (GPT) GUID is globally unique
  identifier
• It can support up to 128 partitions and uses a
  64-bit LBA address
• Usually found in high-end servers

29
Multiple Disk Volumes

• Multiple disks can be used to contain data, but
  such systems may be difficult to investigate
• Initially used in high-end and critical systems,
  but are becoming more popular in with desktop
  systems
• Two types discussed here
• RAID systems provide redundancy
• Disk spanning creates larger volumes

30
RAID

• RAID 0 2 or more disks on which data is striped
  across disks. (no redundancy)
• RAID 1 data is repeated across disks for
  redundancy
• RAID 2 rare. Uses error-correcting codes.
• RAID 3 3 or more disks one disk assigned for
  parity
• Parity disk can recreate a failed disk
• Byte-sized chunks
• RAID 4 similar to level 3, data striped is
  block chunks instead of byte chunks
• RAID 5 similar to level 4, no dedicated parity
  disk. Parity alternated amongst data
• There are several more RAID levels

31
Analysis

• Use hardware write-blockers on individual hard
  disks to prevent modifications when trying
  acquisition
• It may also be useful to make images of the
  individual disks before making an image of the
  entire RAID volume
• Some RAID systems use only part of the hard
  disk...unused space may contain old data, or
  could be used to hide data

32
Disk Spanning

• Makes multiple disks appear to be one large disk
  using software, creating a logical volume.
• Example
• Like using a 3-ring binder, instead of a spiral
  notebook. It becomes easier to add more storage
  (i.e. disks) as more space is needed.
• Logical volume the output of the disk-spanning
  software.

33
Disk Spanning
D0
D100
D1
D101
D2
D102
...
...
D99
D199
Disk 2
Disk 1
The storage space from a new disk is appended to
the end of the existing storage space. This
generates a logical volume made up from two disks.