disk – Infosavvy Cyber Security & IT Management Trainings

Identifying GUID Partition Table (GPT) in this GPT header will help an investigator analyze the layout of the disk including the locations of the partition table, partition area, and backup copies of the header and partition table. Investigators can use cmdlets given below in Windows PowerShell to identify the presence of GPT:

Get-GPT

Get-GPT command helps investigator to analyze the GUID Partition Table data structure of the hard disk. It requires the use of the -Path parameter which takes the Win32 Device Namespace (ex.\\.\ PHYSICALDRIVE1) for the device from which it should parse the GPT.

In case, the investigator uses the Get-CPT on a disk formatted with a Master Boot Record, it will display an error message prompting to use Get-MBR instead.

Alternate Method:

Open “Computer Management” application and click “Disk Management” on the left pane. Right-click on the primary disk (here, Disk 0) and then click Properties
In the Device Properties window, click ‘Volumes” tab to see the Partition style

Related Product : Computer Hacking Forensic Investigator | CHFI

Identifying GUID Partition Table (GPT) (Cont’d)

1. Get-Boot Sector

The Get-BootSector is a command that can help the investigator parse GPTs of both types of hard disks including the ones formatted with either UEFI or MBR. This command acts as replacement for Get-MBR and Get-GPT cmdlets. Get-BootSector analyzes the first sector of hard drive and determines the formatting type used and then parses the hard drive GPT.

2. Get-PartitionTable

This command analyzes the GUID partition table to find the exact type of boot sector (Master Boot Record or GUID PartitionTable) and displays the partition object.

3. Analyzing the GPT Header and Entries

Most of the operating systems that support GPT disk access come up with a basic partitioning tool, which displays details about CPT partition tables. In windows tools such as DiskPart tool display the partition details, whereas MAC systems use the OS X Disk utility and Linux uses GNU parted tool.

Sleuthkit mmls command can help the investigators to view detailed partition layout for GPT disk along with the MAR details. Alternatively, investigators can gather details about GPT header and partition entries through manual analysis of disk drive using a hex calculation or editing tool called Hex editor.

Also Read : What is the Booting Process?

4. GPT Artifacts

Deleted and Overwritten GUID Partitions

Case 1: In hard disks, the conversion or repartition of the MBR disk to GPT will generally overwrite the sector zero with a protective MBR, which will delete all the information about the old partition table. The investigators should follow the standard forensics methods of searching the filesystems to recover data about the previous MBR partitioned volumes.

Case 2: When conversion or repartition of the GPT to MBR disk takes place, then the GPT header and tables may remain intact based on the tool used. Investigators can easily recover or analyze data of such disk partitions.

Implementation of general partition deletion tools for deletion of partition on the GPT disk might will delete the protective MBR only, which investigators can easily recreate by simply reconstructing the disk.

As per UEFI

specification, if all the fields in a partition entry have zeroed values, it implies that the entry is not in use. In this case, data recovery about deleted GUID partition entries is not possible.

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

Hard Disk Partitions refers to the creation of logical drives for effective memory management and a partition is the logical drive for storing the data. Hidden partition created on a drive can hide the data. The inter-partition gap is the space between the primary partition and the secondary partition. If the inter-partition drive contains the hidden data, use disk editor utilities like Disk Editor to change the information in the partition table. Doing so will remove all the references to the hidden partition, which have been hiding it from the operating system. Another way of hiding the data is to place the digital evidence at the end of the disk by declaring a smaller number of bytes than the actual size of the drive. Disk Editor allows investigator to access these hidden or vacant areas of the disk.

The partitions are of two types:

Primary partition: it is the drive that holds the information regarding the operating system, system area, and other information required for booting. In MS-DOS and earlier versions of Microsoft Windows systems, the first partition (C:) must be a “primary partition,”
Extended partition: It is the logical drive that holds the information regarding the data and files that are stored in the disk. Various tools are available for examining the disk partitions. A few of the disk editor tools are Disk Edit WinHex, and Hex Workshop. These tools can help users to view the file headers and important information about the file. Both require analyzing the hexadecimal codes that an operating system identifies and uses to maintain the file system.

BIOS Parameter Block (BPB)

The BPB is data structure situated at sector 1 in the volume boot record of a hard disk and explains the physical layout of a disk volume. It describes the volume partition on partitioned devices such as hard disks, whereas on the un-partitioned devices it describes the entire medium. Any partition that includes the floppy disks can use BPB, which would also describe the basic file system architecture. The length of BPB varies across the listed file systems listed (i.e. FAT16, FAT32, and NTFS) due to the volume of the data it contains and also due to the types of fields present.

Master Boot Record (MBR)

Master Boot Record (MBR) refers to a hard disk’s first sector or sector zero that specifies the location of an operating system for the system to load into the main storage. Also called as, partition sector or master partition table contains a table, which locates partitioned disk data. A program in the record loads the rest of the OS into the RAM.

Information about various files present on the disk, their location, and size is the Master Boot Record file. In practice, MBR almost always refers to the 512-byte boot sector or partition sector of a disk. FDISK/MBR commands help in creating MBR in Windows and DOS operating systems. When a computer starts and boots, the B105 refers this first sector for the boot process instructions and information about how to load the operating system.

Related Product : Computer Hacking Forensic Investigator | CHFI

The master boot record consists of the structures as mentioned below:

1. Partition Table

Partition table is a 64-byte data structure storing information about the type of partitions present on the hard disk and their location. This table has a standard layout that does not depend on the operating system. The table is capable of describing only four partitions, which are primary or physical partitions. All other partitions are logical partitions linked to one of the primary partitions.

2. Master Boot Code
A small part of the computer code, which the system loads into the BIOS and executes to initiate the system’s boot process. After execution, the system transfers the controls to the boot program present on the active partition to load the operating system.

Read More : https://info-savvy.com/hard-disk-partitions/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com