More Disk Stuff - Paiet/FOR---Operating-System-Forensics GitHub Wiki

Disk Partitions

Partitioning is the creation of logical divisions in a hard disk that allows for the application of operating system-specific logical formatting

  1. Primary - the drive that holds the information regarding the operating system, system area, and other information required for booting
  2. Extended - the logical drive that holds the information regarding the data and files that are stored in the disk BIOS Parameter Block (BPB) - The BPB is data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume. It describes the volume partition on partitioned devices such as hard disks, whereas on the un-partitioned devices it describes the entire medium.

Master Boot Record (MBR)

  1. A master boot record (MBR) is the first sector ("sector zero") of a data storage device such as a hard disk
  2. The information regarding the files on the disk, their location, size, and other important data is stored in the Master Boot Record file

The MBR is used for:

  1. Holding a partition table which refers to the partitions of a hard disk (64 bytes in size)
  2. Holding the Master Boot Code which implements the following functions: a. Examines the partition table to find the active partition b. Locates the first sector of the active partition c. Loads a boot sector copy from the active partition into memory d. Transfers control to the executable code in the boot sector
  3. Recognizing individual hard disk media with a 32-bit disk signature How do I backup the MBR?

In UNIX/Linux, dd can be used to backup and restore the MBR

Backup the MBR dd if=/dev/xxx of=mbr.backup bs=512 count=1

Restore the MBR dd if=mbr.backup of=/dev/xxx bs=512 count=1

In Windows?

http://www.sysint.no/mbrfix

GUID's and the GUID Partition Table (GPT)

GUID - The Globally Unique Identifier is a 128-bit unique number, generated by the Windows OS for identifying a specific device, document, a database entry, and/or the user.

GPT - Part of the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware interfaces. UEFI uses partition interfacing systems that overcome the limitations of the MBR partitioning scheme.

The MBR partition scheme uses 32 bits for storing the LBA
(Logical Block Addresses) and the size information on a 512-byte sector.
In GPT, each logical block is 512 bytes and each partition entry is
128 bytes, and the negative addressing of the logical blocks starts from
the end of the volume with -1 as the last addressable block.

GPTs use logical block addressing (LBA) instead of the
cylinder-head-sector (CHS) addressing. LBA 0 stores the Protective MBR,
LBA 1 contains the GPT header, and the GPT header comprises a pointer
to the partition table or Partition Entry Array at LBA 2.

The UEFI assigns 16,384 bytes for the Partition Entry Array. Since the
disk has 512-byte sectors with a partition entry array of 16,384 bytes
and the minimum size of 128 bytes for each partition entry,
LBA 34 will be the first usable sector.

Advantages of GPT disk layout: 1. Allows users to partition disks larger than 2 terabytes 2. Allows users to have 128 partitions in Windows using GPT partition layout (The Microsoft implementation of GUID Partition Table is limited to 128 partitions. However, it is important to note that one partition is used for the EFI System Partition, one for the Microsoft Reserved and two more are used if you use dynamic disks. This leaves 124 partitions for data use.) 3. Partition and boot data is more secure, because GPT stores data in multiple locations across the disk 4. Uses Cyclic Redundancy Check (CRC) to ensure data integrity 5. Uses CRC32 checksums that detect errors in the header and partition table

Protective MBR - It helps legacy tools solve compatibility issues when they fail to understand the GPT format. It stores the startup code for the operating systems that support a GPT boot disk. The Protective MBR protects GUID Partition Table disks from previously-released MBR disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk Administrator.

These tools are not aware of GUID Partition Table and do not know how to properly access a GUID Partition Table disk. Legacy software that does not know about GUID Partition Table interprets only the Protected MBR when it accesses a GUID Partition Table disk. These tools will view a GUID Partition Table disk as having a single encompassing (possibly unrecognized) partition by interpreting the Protected MBR, rather than mistaking the disk for one that is unpartitioned. Where can I find the specification for GUID Partition Table disk partitioning?

Chapter 5 of the Extensible Firmware Interface specification defines the GUID Partition Table format. This document is available here:

http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_7.pdf

What are the essential Windows System Files?

Ntoskrnl.exe Ntkrnlpa.exe Hal.dll Win32k.sys Ntdll.dll Kernel32.dll Advapi32.dll User32.dll Gdi32.dll The Windows Boot Process

Windows XP, Vista, and 7 OSs power on and start up using the traditional BIOS-MBR method. Whereas, the Microsoft operating systems starting with Windows 8 can use either the traditional BIOS-MBR method or the newer UEFI-GPT method.

Below is the step by step process that occurs when the system is switched on:

When the user switches the system ON, CPU sends a Power Good signal to the motherboard and checks for computer’s BIOS firmware. BIOS starts a Power-On Self-Test (POST) which checks if all the hardware required for system boot is available and loads all the firmware settings from the non-volatile memory on the motherboard. If POST is successful, add-on adapters perform a self-test for integration with the system. Pre-boot process completes the POST, detecting a valid system boot disk. After POST, the computer’s firmware scans the boot disk and loads the master boot record (MBR), which searches for basic boot information in the Boot Configuration Data (BCD). The MBR triggers Bootmgr.exe, which locates the Windows loader (Winload.exe) on the Windows boot partition and triggers Winload.exe. The Windows loader loads the OS kernel ntoskrnl.exe. Once the Kernel starts running, the Windows loader loads HAL.DLL, boot-class device drivers marked as BOOT_START and the SYSTEM registry hive into memory. The Kernel passes control of the boot process to the Session Manager Process (SMSS.exe), which loads all other registry hives and drivers required to configure the Win32 subsystem run environment. The Session Manager Process triggers Winlogon.exe, which presents the user logon screen for user authorization. The Session Manager Process initiates Service control manager, which starts all the services, the rest of the non-essential device drivers, the security subsystem LSASS.EXE and executes Group policy scripts. Once the user logs in, Windows creates a session for the user. The Service control manager starts Explorer.exe and initiates the Desktop Window Manager (DMW) process, which provides the desktop for the user. The EFI boot manager controls the UEFI boot process. It starts with platform firmware initialization; the boot manager loads UEFI drivers and UEFI applications (including UEFI OS boot loaders) to initialize platform functions. The system loads the OS loader at the final stage and then OS starts booting. Once the OS receives the controls, it halts the UEFI boot service.

The UEFI boot process has five phases as noted below:

SEC (Security) Phase - consists of initialization code that the system executes after powering the EFI system on. It manages platform reset events and sets the system so that it can find, validate, install, and run the PEI.

PEI (Pre-EFI Initialization) Phase - initializes the CPU, temporary memory, and boot firmware volume (BFV). It locates and executes the Pre Initialization modules (PEIMs) present in the BFV so as to initialize all the found hardware in the system. Finally, it creates a Hand-Off Block List with all found resources interface descriptors and passes it to the next phase.

DXE (Driver Execution Environment) Phase - Most of the initialization happens in this phase. Using the Hand-Off Block List (HOBL), it initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL).

The DXE core produces a set of EFI Boot Services and EFI Runtime Services. The EFI Boot Services provided are allocating memory and loading executable images. The EFI Runtime services provided are converting memory addresses from physical to virtual while handing over to the kernel, and resetting the CPU, to code running within the EFI environment or within the OS kernel once the CPU takes control of the system.

BDS (Boot Device Selection) Phase - interprets the boot configuration data and selects the Boot Policy for later implementation. This phase works with the DXE to check if the device drivers require signature verification. In this phase, the system loads MBR boot code into memory for Legacy BIOS Boot or loads the Bootloader program from the EFI partition for UEFI Boot. It also provides an option for the user to choose EFI Shell or an UEFI application as the Boot Device from the Setup.

RT (Run Time) Phase - the system clears the UEFI program from memory and transfers it to the OS. During UEFI BIOS update, the OS calls the run time service using a small part of the memory.

Identifying the GUID Partition Table (GPT) - A GPT header can be useful to analyze the layout of the disk including the locations of the partition table, partition area, and backup copies of the header and partition table.

Use the cmdlets below in Windows PowerShell to identify the presence of a GPT:

Get-GPT - analyze the GUID Partition Table data structure of the hard disk.

If used on a disk formatted with a Master Boot Record, it will display an error message prompting to use Get-MBR instead. Alternate Method:

Open “Computer Management” application and click “Disk Management” in the left pane. Right-click on the primary disk and then click "Properties". In the Device Properties window, click the “Volumes” tab to see the partition style. http://www.invoke-ir.com/2015/06/ontheforensicstrail-part3.html

Get-BootSector - analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.

Get-PartitionTable - analyzes the GUID partition table to find the exact type of boot sector (MBR or GPT) and displays the partition object.

Deleted and Overwritten GUID Partitions

Issue 1: the conversion or repartition of the MBR disk to GPT will generally overwrite the sector zero with a protective MBR, which will delete all the information about the old partition table. Follow the standard forensics methods of searching the filesystems to recover data about the previous MBR partitioned volumes.

Issue 2: When conversion or repartition of the GPT to MBR disk takes place, the GPT header and tables may remain intact based on the tool used. You can easily recover or analyze the data from such disk partitions.

** As per UEFI specification, if all the fields in a partition entry have zeroed values, it implies that the entry is not in use. In this case, data recovery about deleted GUID partition entries is not possible.

GUID Identifiers

GPT scheme provides GUIDs which are of investigative value as they are unique and hold potential information about entire disk and each partition GUIDs possess unique identifying information for both disks and individual partitions Use tools such as UUID to decode various versions of GUID/UUID Hidden Information on GPT Disks

Intruders may hide data on GPT disks just as they do on traditional MBR disks. Data hiding places on GPT disks may be inter-partition gaps, un-partitioned space towards the end of the disk, GPT header, and reserved areas. In addition, manipulated GPT headers, misplaced starting and ending LBAs, as well as areas marked with a reserved tag.