Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery
39
Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery http://blogs.sans.org/computer-forensics/2010/07/28/windows-7- mbr-advanced-format-drives-e512/? utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr- advanced-format-drives-e512st.txt
-
Upload
emanuel-eary -
Category
Documents
-
view
216 -
download
0
Transcript of Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery
Volume Analysis – IntroChapter 4, Carrier
1. Volume structure
2. Volume analysis
3. Volume recovery
http://blogs.sans.org/computer-forensics/2010/07/28/windows-7-mbr-advanced-format-drives-e512/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr-advanced-format-drives-e512st.txt
Nomenclature
Windows Partitions are referred to as “Volumes”
The rest of the world Partitions are referred to as partitions Volume is a physical drive VG – Volume Group is a logical grouping of
partitions managed by the LVM
Volume Functions
A volume is a collection of addressable sectors that can be used for storage
Assemble multiple storage volumes into one.
Partition a storage volume into independent partitions
Partitions, Named Volumes Windows Example
Partition 1 Partition 2 Partition 3
Hard Disk Volume
C: Volume D: Volume E: Volume
Thanks to PriscillaSource: B. Carrier
Partitions
A partition is a collection of consecutive sectors in a volume
A partition is also a volume A partition's parent volume is the volume in
which the partition is located
Partition Systems
Structure of partition system is OS dependent
Independent of the disk/interface
Most volumes have a partition table Each entry describes the location, size and type of partition Usually there is nothing that distinguishes the beginning or end of
a partition If the volume is one partition, the partition table is often missing.
Generic Partition Table
Starting Sector
0 99 FAT
100 249 NTFS
300 599 NTFS
Ending Sector
File System Type
Volume Assembly
Some OS's force each device/disk to be a volume
Windows and DOS
Some of the more robust OS's use volume assembly to make many/all disks look like one volume.
Unix and derivations
Windows Mount Points
Volume 1C:
D:
E:
\Program Files\
\Windows\
\Torture Office\
Volume 2
CD-ROM
Unix Mount Points
Volume 1/
CD-ROM
Volume 2
/etc/
/mnt/cdrom/
/tmp/
/usr/
Sector Addressing LBA – Logical Block Address is a physical sector
address beginning at 0 which is the first sector of the disk.
LVA – Logical Volume Address is the address of a sector relative to the start of its volume.
Distinguish between disk and partition Logical disk volume address Logical partition volume address
Addressing Terminology
Partition 1 Starting Address: 0
Physical address: 100Logical Disk Volume Address: 100Logical Volume Part. Address: 100
Partition 2 Starting Address: 864
Physical address: 569Logical Disk Volume Address: 569Logical Volume Part. Address: N/A
Physical address: 964Logical Disk Volume Address: 964Logical Volume Part. Address: 100
Volume Analysis
Partition layout of the volume is importantConsistencyCorruptionUnallocated space
EvidenceRecovery
Techniques
Data in a partition is likely to be a file system.Data in sectors not in a partition is likely to be data left over from a previous life
Using dd we can create a file for each partitionUsing dd we can also create files of consecutive unallocated sectors
Consistency Checks
Consecutive collections of sectors, utilizing the entire disk/deviceConsecutive collections of sectors, not utilizing the entire disk/deviceOver lapping collections of sectorsMissing partition tables or corrupted tables, intentional or accidental
DOS Partitions
MBR is the first 512-byte sector Boot code (Bytes 0-445)
Partition table (bytes 446-509)
Signature (bytes 510-511, value = 0xAA55)
Partition table has four entries
DOS Disk
Partition 1 Partition 2
Partition Table
Extended Partitions
Partition 1 Partition 2
Partition Table
Extended Partition
First Extended Partition is always number 5.
Extended Partitions
Partition Extended Partition
Partition Partition Extended Partition
Partition Extended Partition
Partition
Master Boot Sector/Record
First sector of the device Contains boot code Contains the partition table Last byte is 0x55AA
MBS Structure
1FE
Boot code – Master Boot Record, MBR
1CE
1DE
1FD
1FF
1EE
1BE
000
1ED
1DD
1CD
1BD
1st Partition Entry
2nd Partition Entry
3st Partition Entry
4st Partition Entry
Signature value = 0x55 aa
Partition Table Four 16-byte Entries Each entry describes a partition
Bootable flag (0x80 means bootable)
Starting CHS address
Partition type
Ending CHS address
Starting LBA address
Size (number of sectors in partition)
Partition Entry Structure
0C
Bootable flag: 0x80 – bootable, 0x00 – not bootable
04
05
0B
0F
08
01
00
07
04
03
00
Starting CHS Address – (C, H, S)
Partition type – 0x83 = linux, 0x82 = swap
Ending CHS Address
Starting LBA Address
Size in Sectors
Partition Types 0 Empty 1e Hidden W95 FAT1 80 Old Minix be Solaris boot
1 FAT12 24 NEC DOS 81 Minix / old Lin bf Solaris
2 XENIX root 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT-
3 XENIX usr 3c PartitionMagic 83 Linux c4 DRDOS/sec (FAT-
4 FAT16 <32M 40 Venix 80286 84 OS/2 hidden C: c6 DRDOS/sec (FAT-
5 Extended 41 PPC PReP Boot 85 Linux extended c7 Syrinx
6 FAT16 42 SFS 86 NTFS volume set da Non-FS data
7 HPFS/NTFS 4d QNX4.x 87 NTFS volume set db CP/M / CTOS / .
8 AIX 4e QNX4.x 2nd part 88 Linux plaintext de Dell Utility
9 AIX bootable 4f QNX4.x 3rd part 8e Linux LVM df BootIt
a OS/2 Boot Manag 50 OnTrack DM 93 Amoeba e1 DOS access
b W95 FAT32 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O
c W95 FAT32 (LBA) 52 CP/M 9f BSD/OS e4 SpeedStor
e W95 FAT16 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs
f W95 Ext'd (LBA) 54 OnTrackDM6 a5 FreeBSD ee EFI GPT
10 OPUS 55 EZ-Drive a6 OpenBSD ef EFI (FAT-12/16/
11 Hidden FAT12 56 Golden Bow a7 NeXTSTEP f0 Linux/PA-RISC b
12 Compaq diagnost 5c Priam Edisk a8 Darwin UFS f1 SpeedStor
14 Hidden FAT16 <3 61 SpeedStor a9 NetBSD f4 SpeedStor
16 Hidden FAT16 63 GNU HURD or Sys ab Darwin boot f2 DOS secondary
17 Hidden HPFS/NTF 64 Novell Netware b7 BSDI fs fd Linux raid auto
18 AST SmartSleep 65 Novell Netware b8 BSDI swap fe LANstep
1b Hidden W95 FAT3 70 DiskSecure Mult bb Boot Wizard hid ff BBT
1c Hidden W95 FAT3 75 PC/IX
Decoding Partition Tables Gotchas
Decimal or Hex? Little Endian or Big Endian? Output to text? How do you get the text
back to the “lab” for analysis? Output to file? Where will you put it?
Don’t write to suspect’s HD!
>fdisk /dev/hda>x>d
0000000: eb48 906c 6261 4c49 4c4f 0100 1504 5a00 .H.lbaLILO....Z.0000010: 0000 0000 f468 743d f222 c000 01f3 22c0 .....ht=."....".0000020: 0001 f122 c000 0101 445a f522 c000 01f6 ..."....DZ."....0000030: 22c0 0001 be22 c000 01bf 22c0 0001 0302 "...."....".....0000040: 8000 0080 5194 0000 0008 fa80 ca80 ea53 ....Q..........S0000050: 7c00 0031 c08e d88e d0bc 0020 fba0 407c |..1....... ..@|0000060: 3cff 7402 88c2 52be 797d e834 01f6 c280 <.t...R.y}.4....0000070: 7454 b441 bbaa 55cd 135a 5272 4981 fb55 tT.A..U..ZRrI..U0000080: aa75 43a0 417c 84c0 7505 83e1 0174 3766 .uC.A|..u....t7f0000090: 8b4c 10be 057c c644 ff01 668b 1e44 7cc7 .L...|.D..f..D|.00000a0: 0410 00c7 4402 0100 6689 5c08 c744 0600 ....D...f.\..D..00000b0: 7066 31c0 8944 0466 8944 0cb4 42cd 1372 pf1..D.f.D..B..r00000c0: 05bb 0070 eb7d b408 cd13 730a f6c2 800f ...p.}....s.....00000d0: 84f0 00e9 8d00 be05 7cc6 44ff 0066 31c0 ........|.D..f1.00000e0: 88f0 4066 8944 0431 d288 cac1 e202 88e8 [email protected]: 88f4 4089 4408 31c0 88d0 c0e8 0266 8904 [email protected]: 66a1 447c 6631 d266 f734 8854 0a66 31d2 f.D|f1.f.4.T.f1.0000110: 66f7 7404 8854 0b89 440c 3b44 087d 3c8a f.t..T..D.;D.}<.0000120: 540d c0e2 068a 4c0a fec1 08d1 8a6c 0c5a T.....L......l.Z0000130: 8a74 0bbb 0070 8ec3 31db b801 02cd 1372 .t...p..1......r0000140: 2a8c c38e 0648 7c60 1eb9 0001 8edb 31f6 *....H|`......1.0000150: 31ff fcf3 a51f 61ff 2642 7cbe 7f7d e840 1.....a.&B|..}.@0000160: 00eb 0ebe 847d e838 00eb 06be 8e7d e830 .....}.8.....}.00000170: 00be 937d e82a 00eb fe47 5255 4220 0047 ...}.*...GRUB .G0000180: 656f 6d00 4861 7264 2044 6973 6b00 5265 eom.Hard Disk.Re0000190: 6164 0020 4572 726f 7200 bb01 00b4 0ecd ad. Error.......00001a0: 10ac 3c00 75f4 c300 0000 0000 0000 0000 ..<.u...........00001b0: 0000 0000 0000 0000 0100 0000 0000 8001 ................00001c0: 0100 83fe 3f0c 3f00 0000 8e2f 0300 0000 ....?.?..../....00001d0: 010d 83fe ffff cd2f 0300 78b1 d401 00fe ......./..x.....00001e0: ffff 82fe ffff 45e1 d701 bf21 1f00 00fe ......E....!....00001f0: ffff 83fe ffff 0403 f701 fc4f b102 55aa ...........O..U.
The Whole MBR
Use Unix/Linux dd Utility to View Partition Table
dd if=/dev/hda bs=512 count=1 | xxd Partition table starts at 446 decimal = 0x1be
0000000: eb48 9010 8ed0 bc00 b0b8 0000 8ed8 8ec0 .H..............
{skip}
00001b0: 0000 0000 0000 0000 786b 786b 0000 8001 ........xkxk....
00001c0: 0100 0cfe fffe 3f00 0000 82c8 7302 0000 ......?.....s...
00001d0: 8101 82fe bf40 c1c8 7302 40b0 0f00 0000 [email protected].@.....
00001e0: 8141 83fe ff00 0179 8302 c018 2502 0000 .A.....y....%...
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
Partition Table EntriesTry Decoding It By Hand…
# Flag Type Starting LBA Address Size
1
2
3
4
Partition Table Entries
# Flag Type Starting LBA Address Size
1 0x80 0x0C 0x0000003F 0x0273C882
2 0x00 0x82 0x0273C8C1 0x000FB040
3 0x00 0x83 0x02837901 0x022518C0
4 0x00 0x00 0x00000000 0x00000000
Little Endian
Partition Table Entries
# Flag Type Starting LBA Address Size
1 0x80 0x0C 0x0000003F 0x0273C882
2 Bootable FAT 63 ~21 GB
3 0x00 0x83 0x02837901 0x022518C0
4 0x00 0x00 0x00000000 0x00000000
Partition Table in English
Partition 1 Bootable (0x80 at byte 0)
Type is Fat32 (0x0C at byte 4)
It starts at sector 3F, LBA (63 in decimal)
Its size is 0x0273C882 sectors About 41 million sectors in decimal 41M x 512 bytes = 20,992,000,000 = ~21 GB
Partition Table in English (cont.)
Partition 2 Not bootable (0x00 at byte 0)
Type is Linux Swap (0x82 at byte 4)
It starts at sector 41,142,465 in decimal
Its size is 0x000FB040 sectors About 1 million sectors in decimal 1M x 512 bytes = 512,000,000 = ~.5 GB
Partition Table in English (cont.)
Partition 3 Not bootable (0x00 in byte 0)
Type is Linux (0x83 at byte 4)
It starts at sector 42170625 in decimal
Its size is 0x022518C0 sectors About 36 million sectors in decimal 36M x 512 bytes = 18,432,000,000 = ~18.5 GB
Partition Types Info
http://www.win.tue.nl/~aeb/partitions/partition_types-1.html
Real Example
FAT 32 thumb drive, .5 Gb
Windows MBR
Boot flag
C, H, SType
Start LBA Size (sectors)
A cautionary tale:Little Endian!
Use fdisk to View Table
root@ttyp0[knoppix]# fdisk /dev/hda
Command (m for help): p
Disk /dev/hda: 255 heads, 63 sectors, 4865 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 1022 63 41142402 0c
2 00 0 1 513 254 63 576 41142465 1028160 82
3 00 0 1 577 254 63 768 42170625 35985600 83
4 00 0 0 0 0 0 0 0 0 00
Extracting Partition Table
fdisk – Linux and DOS, Windows
>fdisk /dev/hda>pDisk /dev/hda: 40.0 GB, 40007761920 bytes255 heads, 63 sectors/track, 4864 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System/dev/hda1 * 1 13 104391 83 Linux/dev/hda2 14 1925 15358140 83 Linux/dev/hda3 1926 2052 1020127+ 82 Linux swap
>x>pDisk /dev/hda: 255 heads, 63 sectors, 4864 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 254 63 12 63 208782 83 2 00 0 1 13 254 63 1023 208845 30716280 83 3 00 254 63 1023 254 63 1023 30925125 2040255 82 4 00 0 0 0 0 0 0 0 0 00
Lab
Image the MBR of the RED USB drive in the lab
Show why it is a MBR Decode the partition table
