1 / 14

COEN 152/252

COEN 152/252. Computer Forensics Apple Partitions. Apple Partition Map. Applies to MAC OS X, MAC OS 9 iPod players Switching to GUID Partition Table (GPT) To support disk bigger than 2TB. Apple Partition Map. Apple Partition Map. Block 0: Driver Descriptor Record. TYPE Block0 =

rupert
Download Presentation

COEN 152/252

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 152/252 Computer Forensics Apple Partitions

  2. Apple Partition Map • Applies to MAC OS X, MAC OS 9 • iPod players • Switching to GUID Partition Table (GPT) • To support disk bigger than 2TB

  3. Apple Partition Map

  4. Apple Partition Map • Block 0: Driver Descriptor Record TYPE Block0 = PACKED RECORD sbSig: Integer; {device signature} sbBlkSize: Integer; {block size of the device} sbBlkCount: LongInt; {number of blocks on the device} sbDevType: Integer; {reserved} sbDevId: Integer; {reserved} sbData: LongInt; {reserved} sbDrvrCount: Integer; {number of driver descriptor entries} ddBlock: LongInt; {first driver's starting block} ddSize: Integer; {size of the driver, in 512-byte blocks} ddType: Integer; {operating system type (MacOS = 1)} ddPad: ARRAY [0..242] OF Integer; {additional drivers, if any} END;

  5. Apple Partition Map • Driver Descriptor Record • identifies the device drivers installed on a disk • Start manager reads the driver descriptor record during system start-up • Uses info to locate and load the appropriate device driver • Start manager selects the appropriate driver based on the user input

  6. Apple Partition Map • Partition map describes all partitions on a block device. • Allows a single device to support multiple OS. • All blocks (with the exception of block 0) belong to a partition • Number of entries in a partition table is not limited. • However, partition table needs to start in block 1 and be contiguous.

  7. Apple Partition Map TYPE Partition = RECORD pmSig: Integer; {partition signature} pmSigPad: Integer; {reserved} pmMapBlkCnt: LongInt; {number of blocks in partition map} pmPyPartStart: LongInt; {first physical block of partition} pmPartBlkCnt: LongInt; {number of blocks in partition} pmPartName: PACKED ARRAY [0..31] OF Char; {partition name} pmParType: PACKED ARRAY [0..31] OF Char; {partition type} pmLgDataStart: LongInt; {first logical block of data area} pmDataCnt: LongInt; {number of blocks in data area} pmPartStatus: LongInt; {partition status information} pmLgBootStart: LongInt; {first logical block of boot code} pmBootSize: LongInt; {size of boot code, in bytes} pmBootAddr: LongInt; {boot code load address} pmBootAddr2: LongInt; {reserved} pmBootEntry: LongInt; {boot code entry point} pmBootEntry2: LongInt; {reserved} pmBootCksum: LongInt; {boot code checksum} pmProcessor: PACKED ARRAY [0..15] OF Char; {processor type} pmPad: ARRAY [0..187] OF Integer; {reserved} END;

  8. GUID Partition Table • Defined by a formal standard: • Section 11.2.2 “Extensible Firmware Interface Specification • “GUID Partition Table (GPT) Format” of the “Unified Extensible Firmware Interface Specification, version 2.0 • Unified EFI Forum

  9. GPT Overview

  10. GPT Overview • Protective MBR • Defines a single partition entry of type 0xEE • Covers entire area of disk • Designed to prevent legacy programs from accidentally modifying a GPT disk

  11. GPT Overview • Partition Table Header • Defines various aspects of a disk: • GUID to uniquely identify disk • starting block of partition entry array • size of each partition entry

  12. GPT Overview • Partition Entry Array • Defines a partition or is all zero when entry is not used. • Stored in a contiguous array on disk

  13. GPT Overview • Partition Entry • Contains GUID to identify partition • GUID for partition type • start block • end block • partition name (Notice: GPT is little-endian)

  14. GPT Overview

More Related