Partitions/File Systems/Carving
Last updated
Last updated
A hard drive or a SSD disk can contain different partitions with the goal of separating data physically. The minimum unit of a disk is the sector (normally composed by 512B). So, each partition size needs to be multiple of that size.
It's allocated in the first sector of the disk after the 446B of the boot code. This sector is essential to indicate the PC what and from where a partition should be mounted. It allows up to 4 partitions (at most just 1 can be active/bootable). However, if you need more partitions you can use extended partitions.. The final byte of this first sector is the boot record signature 0x55AA. Only one partition can be marked as active. MBR allows max 2.2TB.
From the bytes 440 to the 443 of the MBR you can find the Windows Disk Signature (if Windows is used). The logical drive letters of the hard disk depend on the Windows Disk Signature. Changing this signature could prevent Windows from booting (tool: Active Disk Editor).
Offset | Length | Item |
0 (0x00) | 446(0x1BE) | Boot code |
446 (0x1BE) | 16 (0x10) | First Partition |
462 (0x1CE) | 16 (0x10) | Second Partition |
478 (0x1DE) | 16 (0x10) | Third Partition |
494 (0x1EE) | 16 (0x10) | Fourth Partition |
510 (0x1FE) | 2 (0x2) | Signature 0x55 0xAA |
Offset | Length | Item |
0 (0x00) | 1 (0x01) | Active flag (0x80 = bootable) |
1 (0x01) | 1 (0x01) | Start head |
2 (0x02) | 1 (0x01) | Start sector (bits 0-5); upper bits of cylinder (6- 7) |
3 (0x03) | 1 (0x01) | Start cylinder lowest 8 bits |
4 (0x04) | 1 (0x01) | Partition type code (0x83 = Linux) |
5 (0x05) | 1 (0x01) | End head |
6 (0x06) | 1 (0x01) | End sector (bits 0-5); upper bits of cylinder (6- 7) |
7 (0x07) | 1 (0x01) | End cylinder lowest 8 bits |
8 (0x08) | 4 (0x04) | Sectors preceding partition (little endian) |
12 (0x0C) | 4 (0x04) | Sectors in partition |
In order to mount a MBR in Linux you first need to get the start offset (you can use fdisk
and the the p
command)
An then use the following code
Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.
It’s called GUID Partition Table because every partition on your drive has a globally unique identifier.
Just like MBR it starts in the sector 0. The MBR occupies 32bits while GPT uses 64bits. GPT allows up to 128 partitions in Windows and up to 9.4ZB. Also, partitions can have a 36 character Unicode name.
On an MBR disk, the partitioning and boot data is stored in one place. If this data is overwritten or corrupted, you’re in trouble. In contrast, GPT stores multiple copies of this data across the disk, so it’s much more robust and can recover if the data is corrupted.
GPT also stores cyclic redundancy check (CRC) values to check that its data is intact. If the data is corrupted, GPT can notice the problem and attempt to recover the damaged data from another location on the disk.
For limited backward compatibility, the space of the legacy MBR is still reserved in the GPT specification, but it is now used in a way that prevents MBR-based disk utilities from misrecognizing and possibly overwriting GPT disks. This is referred to as a protective MBR.
In operating systems that support GPT-based boot through BIOS services rather than EFI, the first sector may also still be used to store the first stage of the bootloader code, but modified to recognize GPT partitions. The bootloader in the MBR must not assume a sector size of 512 bytes.
The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table).
Offset | Length | Contents |
0 (0x00) | 8 bytes | |
8 (0x08) | 4 bytes | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8 |
12 (0x0C) | 4 bytes | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes) |
16 (0x10) | 4 bytes | CRC32 of header (offset +0 up to header size) in little endian, with this field zeroed during calculation |
20 (0x14) | 4 bytes | Reserved; must be zero |
24 (0x18) | 8 bytes | Current LBA (location of this header copy) |
32 (0x20) | 8 bytes | Backup LBA (location of the other header copy) |
40 (0x28) | 8 bytes | First usable LBA for partitions (primary partition table last LBA + 1) |
48 (0x30) | 8 bytes | Last usable LBA (secondary partition table first LBA − 1) |
56 (0x38) | 16 bytes | Disk GUID in mixed endian |
72 (0x48) | 8 bytes | Starting LBA of array of partition entries (always 2 in primary copy) |
80 (0x50) | 4 bytes | Number of partition entries in array |
84 (0x54) | 4 bytes | Size of a single partition entry (usually 80h or 128) |
88 (0x58) | 4 bytes | CRC32 of partition entries array in little endian |
92 (0x5C) | * | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes) |
GUID partition entry format | ||
Offset | Length | Contents |
0 (0x00) | 16 bytes | Partition type GUID (mixed endian) |
16 (0x10) | 16 bytes | Unique partition GUID (mixed endian) |
32 (0x20) | 8 bytes | First LBA (little endian) |
40 (0x28) | 8 bytes | Last LBA (inclusive, usually odd) |
48 (0x30) | 8 bytes | Attribute flags (e.g. bit 60 denotes read-only) |
56 (0x38) | 72 bytes | Partition name (36 UTF-16LE code units) |
More partition types in https://en.wikipedia.org/wiki/GUID_Partition_Table
After mounting the forensics image with ArsenalImageMounter, you can inspect the first sector using the Windows tool Active Disk Editor. In the following image a MBR was detected on the sector 0 and interpreted:
If it was a GPT table instead of a MBR it should appear the signature EFI PART in the sector 1 (which in the previous image is empty).
FAT12/16: MSDOS, WIN95/98/NT/200
FAT32: 95/2000/XP/2003/VISTA/7/8/10
ExFAT: 2008/2012/2016/VISTA/7/8/10
NTFS: XP/2003/2008/2012/VISTA/7/8/10
ReFS: 2012/2016
The FAT (File Allocation Table) file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, two copies of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a fixed location so that the files needed to start the system can be correctly located.
The minimum space unit used by this file-system is a cluster, typically 512B (which is composed by a number of sectors).
The earlier FAT12 had a cluster addresses to 12-bit values with up to 4078 clusters; it allowed up to 4084 clusters with UNIX. The more efficient FAT16 increased to 16-bit cluster address allowing up to 65,517 clusters per volume. FAT32 uses 32-bit cluster address allowing up to 268,435,456 clusters per volume
The maximum file-size allowed by FAT is 4GB (minus one byte) because the file system uses a 32-bit field to store the file size in bytes, and 2^32 bytes = 4 GiB. This happens for FAT12, FAT16 and FAT32.
The root directory occupies a specific position for both FAT12 and FAT16 (in FAT32 it occupies a position like any other folder). Each file/folder entry contains this information:
Name of the file/folder (8 chars max)
Attributes
Date of creation
Date of modification
Date of last access
Address of the FAT table where the first cluster of the file starts
Size
When a file is "deleted" using a FAT file system, the directory entry remains almost unchanged except for the first character of the file name (modified to **0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
Ext2 is the most common file-system for not journaling partitions (partitions that don't change much) like the boot partition. Ext3/4 are journaling and are used usually for the rest partitions.
EXTSome files contains metadata. This is information about the content of the file which sometimes might be interesting for the analyst as depending on the file-type it might have information like:
Title
MS Office Version used
Author
Dates of creation and last modification
Model of the camera
GPS coordinates
Image information
You can use tools like exiftool and Metadiver to get the metadata of a file.
As it was seen before there are several places where the file is still saved after it was "deleted". This is because usually the deletion of a file from a file-system just mark it as deleted but the data isn't touched. Then, it's possible to inspect the registries of the files (like the MFT) and find the deleted files.
Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible.
File/Data Carving & Recovery ToolsFile carving is a technique that tries to find files in a bulk of data. There are 3 main ways tools like this works: Based on file types headers and footers, based on file types structures and based on the content itself.
Note that this technique doesn't work to retrieve fragmented files. If a file isn't stored in contiguous sectors, then this technique won't be able to find it or at least part of it.
There are several tools that you can use for file Carving indicating them the file-types you want search for
File/Data Carving & Recovery ToolsData Stream Carving is similar to File Carving but instead of looking for complete files, it looks for interesting fragments of information. For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
File/Data Carving & Recovery ToolsObviously, there are ways to "securely" delete files and part of logs about them. For example, it's possible to overwrite the content of a file with junk data several times, and then remove the logs from the $MFT and $LOGFILE about the file, and remove the Volume Shadow Copies. You may notice that even performing that action there might be other parts where the existence of the file is still logged, and that's true and part of the forensics professional job is to find them.
iHackLabs Certified Digital Forensics Windows