Disk Partitions

MBR(Master boot record)
first sector of hard disk
supporting 4 primary disk partitions
ps:1 sector is 512byte
ps:EFI(new BIOS) support GPT, it can support 128 partitions
ps:PBR is first sector of partition

structure of MBR
512 bytes
format as below
[0-439] 440byte, bootstrap code
[440-443] ,4byte, disk signature(optinoal)/disk serial number
[444-445] ,2byte, reserved, usually is 0x0000
[446-509],64byte, primary partitions table, 16byte partition *4
[510-511],2byte,MBR signature, usually is 0xAA55, 用作結束符號
ps
in disk editor tool, it appear 55 AA

structure of primary partitions table
16 bytes
format as below
[0] 1byte, status. 0x80=bootable,0x00=non-bootable
[1-3] 3byte, cylinder-head-sector address of the first sector in the partition
[4] 1byte, partition type, ex:07(ntfs)
[5] 3byte, cylinder-head-sector address of the last sector in the partition
[8] 4byte,LBA(logical block address) of the first sector in the partition
[12] 4 byte, length of the partition
ex:
disk edit tool shows "e3 17 8e 37" in length of the partition
reverse byte order: 37 8e 17 e3
378e17e3(16) to 10=932059107(sector)
sector*512byte: 477214262784(byte)=444GB

ps:
backup MBR in UNIX/linux
if disk is /dev/sda1, command as below:
dd if=/dev/sda1 of =mbr.backup bs=512 count=1
dd if=mbr.backup of=/dev/sda1 bs=512 count=1

................... 

Common tool

fdisk
a partition tool in linux
ex:
fdisk /dev/hda


diskcopy
a standard MS-DOS command
for copying the complete contents of adiskette to another diskette
refer
https://technet.microsoft.com/en-us/library/bb490892.aspx

drivespy
a disk-forensics DOS tool designed to emulate and extend the capabilities of DOS to meet forensic need
address fromat :< start sector>:< number>
ex:
starting sector is 1000 on the primary master drive(drive 0), and copy next 100 sectors
format is 0:1000:100


..........................................................................................

slack space
若檔案小於檔案系統的最小單位,其餘的空間稱為slack space
the data hidden in slack space that might still exist even though the original file has been overwritten by another file

refer
linux, http://realinfosec.com/?p=470
windows, http://blog.opensecurityresearch.com/2014/07/writing-slack-space-on-windows.html

ps:
common slack space finding tool: evidor

...

hidden partitions
看不到的磁區
ex:
安裝Windows 7的時候,系統為了增加安全性,會自動切出100M的隱藏磁區來給BitLocker做資料保護

ps:
判斷是否有hidden partitions的常見方法
1.用一般磁碟工具搜尋, ex: drivespy
2. 加總所有known partition和實際硬碟大小做比較
ps:
DiskPart或其他工具可以將磁區隱藏
refer
https://technet.microsoft.com/zh-tw/library/cc766465%28v=ws.10%29.aspx

2015-10-18 13:16:23發表 0000-00-00 00:00:00修改   

數據分析
程式開發
計算機組織與結構

資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net