MBR(Master boot record)
first sector of hard disk
supporting 4 primary disk partitions
ps:1 sector is 512byte
ps:EFI(new BIOS) support GPT, it can support 128 partitions
ps:PBR is first sector of partition
structure of MBR
512 bytes
format as below
[0-439] 440byte, bootstrap code
[440-443] ,4byte, disk signature(optinoal)/disk serial number
[444-445] ,2byte, reserved, usually is 0x0000
[446-509],64byte, primary partitions table, 16byte partition *4
[510-511],2byte,MBR signature, usually is 0xAA55, 用作結束符號
ps
in disk editor tool, it appear 55 AA
structure of primary partitions table
16 bytes
format as below
[0] 1byte, status. 0x80=bootable,0x00=non-bootable
[1-3] 3byte, cylinder-head-sector address of the first sector in the partition
[4] 1byte, partition type, ex:07(ntfs)
[5] 3byte, cylinder-head-sector address of the last sector in the partition
[8] 4byte,LBA(logical block address) of the first sector in the partition
[12] 4 byte, length of the partition
ex:
disk edit tool shows “e3 17 8e 37” in length of the partition
reverse byte order: 37 8e 17 e3
378e17e3(16) to 10=932059107(sector)
sector*512byte: 477214262784(byte)=444GB
ps:
backup MBR in UNIX/linux
if disk is /dev/sda1, command as below:
dd if=/dev/sda1 of =mbr.backup bs=512 count=1
dd if=mbr.backup of=/dev/sda1 bs=512 count=1
……………….
Common tool
fdisk
a partition tool in linux
ex:
fdisk /dev/hda
diskcopy
a standard MS-DOS command
for copying the complete contents of adiskette to another diskette
refer
https://technet.microsoft.com/en-us/library/bb490892.aspx
drivespy
a disk-forensics DOS tool designed to emulate and extend the capabilities of DOS to meet forensic need
address fromat :< start sector>:< number>
ex:
starting sector is 1000 on the primary master drive(drive 0), and copy next 100 sectors
format is 0:1000:100
………………………………………………………………………………
slack space
若檔案小於檔案系統的最小單位,其餘的空間稱為slack space
the data hidden in slack space that might still exist even though the original file has been overwritten by another file
refer
linux, http://realinfosec.com/?p=470
windows, http://blog.opensecurityresearch.com/2014/07/writing-slack-space-on-windows.html
ps:
common slack space finding tool: evidor
…
hidden partitions
看不到的磁區
ex:
安裝Windows 7的時候,系統為了增加安全性,會自動切出100M的隱藏磁區來給BitLocker做資料保護
ps:
判斷是否有hidden partitions的常見方法
1.用一般磁碟工具搜尋, ex: drivespy
2. 加總所有known partition和實際硬碟大小做比較
ps:
DiskPart或其他工具可以將磁區隱藏
refer
https://technet.microsoft.com/zh-tw/library/cc766465%28v=ws.10%29.aspx