Forensics, Ch 4 Disk Volume and Partition Systems
bytes 32 - 39
(starting address of the partition): sector 32 (0x0022).
is a partition whose entry is in the MBR, and the partition contains additional partitions.
A primary extended partition
is a partition whose entry is in the MBR and the partition contains a file system or other structured data.
A primary file system partition
What replaced bios
Extensible Firmware Interface and Unified EFI
Bytes 16 - 31:
Partition GUID
Each MBR entry has following fields:
Starting CHS address (for Windows 98, ME, etc.) Ending CHS address Starting LBA address (for Windows 2000 and beyond) Number of sectors in partition Type of partition (FAT, NTFS, etc., Linux does not care the type) Flags (bootable or not)
When it finds such a partition, Boot Code looks in the first sector of the partition
and executes the code found there.
MBR includes how many partitions?
one partition table which has four entries. (meaning up to 4 partitions)
is a partition that contains a partition table and a secondary file system partition.
A secondary extended partition
also called a logical partition in Windows, is located inside the primary extended partition bounds and contains a file system or other structured data.
A secondary file system partition,
What is getting obsolete
BIOS uses MBR
contains a backup copy of the partition table and the GPT header (in this order, meaning a backup copy of the GPT header is the last sector of the GPT). It is located in the sector following the partition area.
Backup area
exists in the first 446 bytes of the first sector (512-byte)
Boot Code MBR
Protective MBR uses single entry is for a partition with a type of 0xEE that spans
the entire disk.
What are essential and specified in the partition data structure
the starting and ending locations (sectors) for each partition
What is the purpose of a partition system is
to organize the layout of a volume
Bytes 0 -15
(Partition type GUID): MRP type
bytes 40 - 47
(ending address of the partition): sector 4,096,000 (0x003E8000).
the largest area and contains the sectors that will be allocated to partitions. The starting and ending sectors for the entire partition area (not the each partition area) are defined in the GPT header
Partition Area
Each entry contains a starting and ending address, a type value, a name, attribute flags, and a GUID value.
Partition table
What contains a DOS partition table with one entry.
Protective MBR
What are partitions for windows, mac, linux
Windows: FAT, NTFS MAC: HFS, HFS+ Linux: Ext2
Boot sector viruses or Bootkits insert themselves into the first 446 bytes of the MBR so that they are executed
every time the computer is booted.
What is an example of a volume that is located in consecutive sectors
hard disk
Multiple OS boot option code can be either in Boot Code or
in the bootable partition
Where is the Master Boot Record (MBR)
in the first 512-byte sector of a disk
The sectors in a volume need _______ be consecutive on a physical storage device
not
What is a collection of consecutive sectors in a volume that is also known as a volume and dependent on the operating system and not the type of interface on the hard disk
partition
What does the partition exists in Protective MBR
so that legacy computers can recognize the disk as being used and do not try to format it.
What processes the partition table in the MBR and identifies which partition has the bootable flag set.
standard Microsoft boot code
GPT header
starts in sector 1 (typically fits in 1 sector) defines the size and location of the partition table, which are fixed when the GPT disk is created. Windows limits the number of entries in the partition table to 128. also contains a checksum of the header and the partition table so that errors or modifications can be detected.
What is a collection of addressable sectors that an Operating System (OS) or application can use for data storage.
volume
The code in the start of the partition
will be operating system-specific.
What is supposed to be unique for that system and is set when the partition table is created.
The 128- bit GUID
What do EFI and UEFI use instead of MBR
GPT
What GPT partition type has unallocated entry
Intel
DOS, Windows, Linux, and IA32-based FreeBSD and OpenBSD systems all contain which partitions
DOS
What is used mainly in systems with 64 bit Intel processors
EFI/UEFI
GUID stands for
Globally Unique ID can support up to 128 partitions and uses 64-bit LBA addresses
What section of a partition do not have boundary information
The starting and ending sectors
