120 likes | 271 Views
BACS 371 Computer Forensics. Boot Record Decoder. Partition Table. A partition is a logical drive or volume within a physical device They are defined in the Master Boot Record (MBR) MBR describes every logical volume on the disk Master Partition Table
E N D
BACS 371Computer Forensics Boot Record Decoder
Partition Table • A partition is a logical drive or volume within a physical device • They are defined in the Master Boot Record (MBR) • MBR describes every logical volume on the disk • Master Partition Table • Contains descriptions of partitions on the disk • Room to describe 4 primary partitions • One partition can be marked as activeused for booting • Partition Gap • Unused space between partitions
Master Boot Record (MBR) • Executable Code • Machine Language Code • Processor Specific • Decodes Partition Table • 446 bytes long • Partition Table • 4 Entries • First Entry Starts at offset 446 10 • MBR “Signature” • 0x55AA
Decoding a Partition Table Entry • Entry #3 starting at offset 0x01DE • Starting Sector • Offset 2 • 6 bits (use 6 LSB) • Decode as bits • 0xC1 = 1100|0001 • 6 LSB = 000001 = Sector #1 • Starting Cylinder • Offset 3 • 10 bits (use remaining 2 bits from sector as upper 2 bits) • Decode as bits • 0xFF = 1111|1111 • 10 bits = 11|1111|1111 = 0x3FF = Cylinder # 1023 • Bootable? • Offset 0 • Value 0x80 means bootable • Starting Head • Offset 1 • 1 Byte • 0x00 = 0 Starting Head • File System Type • Offset 4 • Decode as table entry • 0x0C = Win 95 Fat-32 LBA • Number of Sectors • Offset 12 • 4 Bytes • Decode as Number (swap) • 0x000E37BA = 931,770 • # of sectors in this partition • 477,066,240 bytes (*512) • Relative Sectors (start of partition) • Offset 8 • 4 Bytes • Decode as Number (swap) • 0x1D0D9045 = 487,428,165 • # of sectors from start of drive to start of this partition Ending Head 5 Ending Sector 6 Ending Cylinder 7
Partition Boot Record • 010 - 210Jump Instruction (3 bytes) • 310 - 1010 OEM ID (8 Bytes) • 1110 - 8310BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes • 6210 - 51110 Bootstrap Code (448 Bytes) • Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!
Partition Boot Record • 010 - 210 Jump Instruction (3 bytes) • 310 - 1010 OEM ID (8 Bytes) • 1110 - 8310BIOS Parameter Block (BPB) (includes all below plus additional fields) all offsets in this section are from start of the BPB counting from 0 offset 1110 Bytes Per Sector 2 Bytes offset 1310 Sectors Per Cluster 1 Byte offset 2110 Media Descriptor 1 Byte offset 2410 Sectors Per Track 2 Bytes offset 2610 Number of Heads 2 Bytes offset 2810 Hidden Sectors 4 Bytes offset 3210 Total Sectors 4 Bytes • 6210 - 51110 Bootstrap Code (448 Bytes) • Ends with 55 AA NOTE: Offsets are from start of Partition, not start of Drive!
Partition Boot Record (PBR) BIOS Parameter Block • Executable Code • Machine Language Code • Processor Specific • Decodes BPB • Searches for OS • PBR “Signature” • 0x55AA
Decoding a Partition Boot Record (BIOS Parameter Block – BPB) • Jump Instruction • Offset 0x00 • 3 bytes • OEM Name • Offset 0x03 • 8 bytes • Decode as ASCII • “MSDOS5.0” • Bytes Per Sector • Offset 0x0B • 2 bytes • Decode as Number • (Swap “endian”) • 0x0200 = 512 • Sectors Per Cluster • Offset 0x0D • 1 byte • Decode as Number • 0x08 = 8 • 8 * 512 = 4096 bytes/cluster • Media Type • Offset 0x15 • 1 byte • Decode from Table • 0xF8 means HD • Heads • Offset 0x1A • 2 bytes • Decode as Number • (Swap “endian”) • 0x00FF = 255 • Sectors per Track • Offset 0x18 • 2 bytes • Decode as Number • (Swap “endian”) • 0x003F = 63 • Total Sectors • Offset 0x20 • 4 bytes • Decode as Number • (Swap “endian”) • 0x000E37BA = 931,770 • 477,066,240 Bytes • FAT Size (Sectors) • Offset 0x24 • 4 bytes • Decode as Number • (Swap “endian”) • 0x0000038D = 909 • 465,408 Bytes (*512) • 58,176 Entries (/4) • 238,288,896 bytes addressed • (*4096) • File System Type • Offset 0x52 • 8 bytes • Decode as ASCII • “FAT32 ”
FAT Root Directory Volume ID Directory Entry Single Directory Entry for a file with a “short” filename. Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name. • Designates Attribute Bits • 0x08 = Volume Label • 0x20 = Archive • 0x0F = Long File Name
Decoding a Root Directory Entry (1) • Create Time (Coarse) • Offset 0x0E • 2 bytes • Decode as Number (swap) • 0x6E4D = 01101|110010|01101 • 1st 5 bits: 13 hour • Next 6 bits: 50 min • Last 5 bits: 13 => 26 seconds • 13:50:26 + 1.02 fine above • 13:50:27.02 • DOS File Name • Offset 0x00 • 8 bytes • Decoded as ASCII • “LONGY “ • DOS File Extension • Offset 0x08 • 3 bytes • Decoded as ASCII • “TXT “ • Create Time (Fine) • Offset 0x0D • 1 byte • Decode as Number • 0x66 = 102 • 102 * 10 ms = 1.02 sec. • Create Date • Offset 0x10 • 2 bytes • Decode as Number (swap) • 0x3562 = 0011010|1011|00010 • 1st 7 bits: 26 + 1980 = 2006 year • Next 4 bits: 11 month = November • Last 5 bits: 2 day • November 2, 2006 • Last Access Date • Offset 0x12 • 2 bytes • See Create Date • File Size • Offset 0x1C • 4 bytes • Decode as Number (swap) • 0x00003942 = 14,658 bytes • Occupies 4 clusters (/4096) • Has 4*4096-14658 = 1726 bytes of slack • First Cluster • Offset 0x14 (High Bytes) • Offset 0x1A (Low Bytes) • 4 bytes • Decode as Number (swap) • 0x00000003 = 3 start cluster
Decoding a Root Directory Entry (2) • Attributes • Offset 0x0B • 1 byte • Decode as bits – 0th bit on right, 7th bit on left • 0x0F means Long Filename entry • 0x20 = 0010|0000 - Archive • Last Modified Time • Offset 0x16 • 2 bytes • Decode as Number (swap) • 0x6E1A = 01101|110000|11010 • 1st 5 bits: 13 hour • Next 6 bits: 48 min • Last 5 bits: 26 => 52 seconds • 13:48:52 • Last Modified Date • Offset 0x18 • 2 bytes • Decode as Number (swap) • 0x3562 = 0011010|1011|00010 • 1st 7 bits: 26 + 1980 = 2006 year • Next 4 bits: 11 month = November • Last 5 bits: 2 day • November 2, 2006
Cluster 3 Entry • First Cluster of File as identified in directory entry • Offset 0x08 • 4 bytes • Decoded as Number (swap) • 0x00000004 = 4 next cluster FAT Table (FAT) • Cluster 4 Entry • Offset 0x08 • 4 bytes • Decoded as Number (swap) • 0x00000005 = 5 next cluster • Cluster 5 Entry • Offset 0x08 • 4 bytes • Decoded as Number (swap) • 0x00000006 = 6 next cluster • Cluster 6 Entry • Offset 0x08 • 4 bytes • Decoded as Number (swap) • 0x0FFFFFFF = EOF This file occupies 4 clusters or 4 * 4096 = 16,384 bytes on the drive. It is not always the case that a file will occupy sequential clusters.