{"id":724,"date":"2015-10-18T16:17:00","date_gmt":"2015-10-18T08:17:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=724"},"modified":"2023-11-04T16:28:44","modified_gmt":"2023-11-04T08:28:44","slug":"disk-partitions","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/724","title":{"rendered":"Disk Partitions"},"content":{"rendered":"\n

MBR(Master boot record)<\/strong>
first sector of hard disk
supporting 4 primary disk partitions
ps:1 sector is 512byte
ps:EFI(new BIOS) support GPT, it can support 128 partitions
ps:PBR is first sector of partition<\/p>\n\n\n\n

structure of MBR<\/strong>
512 bytes
format as below
[0-439] 440byte, bootstrap code
[440-443] ,4byte, disk signature(optinoal)\/disk serial number
[444-445] ,2byte, reserved, usually is 0x0000
[446-509],64byte, primary partitions table, 16byte partition *4
[510-511],2byte,MBR signature, usually is 0xAA55, \u7528\u4f5c\u7d50\u675f\u7b26\u865f
ps
in disk editor tool, it appear 55 AA<\/p>\n\n\n\n

structure of primary partitions table<\/strong>
16 bytes
format as below
[0] 1byte, status. 0x80=bootable,0x00=non-bootable
[1-3] 3byte, cylinder-head-sector address of the first sector in the partition
[4] 1byte, partition type, ex:07(ntfs)
[5] 3byte, cylinder-head-sector address of the last sector in the partition
[8] 4byte,LBA(logical block address) of the first sector in the partition
[12] 4 byte, length of the partition
ex:
disk edit tool shows “e3 17 8e 37” in length of the partition
reverse byte order: 37 8e 17 e3
378e17e3(16) to 10=932059107(sector)
sector*512byte: 477214262784(byte)=444GB<\/p>\n\n\n\n

ps:
backup MBR in UNIX\/linux<\/strong>
if disk is \/dev\/sda1, command as below:
dd if=\/dev\/sda1 of =mbr.backup bs=512 count=1
dd if=mbr.backup of=\/dev\/sda1 bs=512 count=1<\/p>\n\n\n\n

………………. <\/p>\n\n\n\n

Common tool<\/strong><\/p>\n\n\n\n

fdisk<\/strong>
a partition tool in linux
ex:
fdisk \/dev\/hda

diskcopy<\/strong>
a standard MS-DOS command
for copying the complete contents of adiskette to another diskette
refer
https:\/\/technet.microsoft.com\/en-us\/library\/bb490892.aspx<\/p>\n\n\n\n

drivespy<\/strong>
a disk-forensics DOS tool designed to emulate and extend the capabilities of DOS to meet forensic need
address fromat :< start sector>:< number>
ex:
starting sector is 1000 on the primary master drive(drive 0), and copy next 100 sectors
format is 0:1000:100

………………………………………………………………………………<\/p>\n\n\n\n

slack space<\/strong>
\u82e5\u6a94\u6848\u5c0f\u65bc\u6a94\u6848\u7cfb\u7d71\u7684\u6700\u5c0f\u55ae\u4f4d,\u5176\u9918\u7684\u7a7a\u9593\u7a31\u70baslack space
the data hidden in slack space that might still exist even though the original file has been overwritten by another file
refer
linux, http:\/\/realinfosec.com\/?p=470
windows, http:\/\/blog.opensecurityresearch.com\/2014\/07\/writing-slack-space-on-windows.html<\/p>\n\n\n\n

ps:
common slack space finding tool: evidor<\/p>\n\n\n\n

…<\/p>\n\n\n\n

hidden partitions<\/strong>
\u770b\u4e0d\u5230\u7684\u78c1\u5340
ex:
\u5b89\u88ddWindows 7\u7684\u6642\u5019\uff0c\u7cfb\u7d71\u70ba\u4e86\u589e\u52a0\u5b89\u5168\u6027\uff0c\u6703\u81ea\u52d5\u5207\u51fa100M\u7684\u96b1\u85cf\u78c1\u5340\u4f86\u7d66BitLocker\u505a\u8cc7\u6599\u4fdd\u8b77
ps:
\u5224\u65b7\u662f\u5426\u6709hidden partitions\u7684\u5e38\u898b\u65b9\u6cd5
1.\u7528\u4e00\u822c\u78c1\u789f\u5de5\u5177\u641c\u5c0b, ex: drivespy
2. \u52a0\u7e3d\u6240\u6709known partition\u548c\u5be6\u969b\u786c\u789f\u5927\u5c0f\u505a\u6bd4\u8f03
ps:
DiskPart\u6216\u5176\u4ed6\u5de5\u5177\u53ef\u4ee5\u5c07\u78c1\u5340\u96b1\u85cf
refer
https:\/\/technet.microsoft.com\/zh-tw\/library\/cc766465%28v=ws.10%29.aspx<\/p>\n","protected":false},"excerpt":{"rendered":"

MBR(Master boot record)first s …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[23],"tags":[],"class_list":["post-724","post","type-post","status-publish","format-standard","hentry","category-computerarchitecture"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=724"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/724\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}