±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34825
New Yesterday: 11 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

MBR and GUID

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

MBR and GUID

Post Posted: Mon Jan 01, 2018 3:00 pm

Guys, could you please direct me what books and documentation I could have read to deeply dive in understanding of GUID and MBR?

Thank you!  

mhibert
Member
 
 
  

Re: MBR and GUID

Post Posted: Tue Jan 02, 2018 4:51 am

- mhibert
Guys, could you please direct me what books and documentation I could have read to deeply dive in understanding of GUID and MBR?

Thank you!

I guess by GUID you are referring to GPT style partitioning? Question

There is not much "depth".
The MBR is 512 bytes, of which:
1) the first 440 bytes are "code"
2) the following 4 bytes are Disk Signature (present in any and all NT based systems), followed by two unused bytes
3) following at offset 446 is the partition table, 4 entries, each 16 bytes containing filesystem "pseudo" ID, CHS and LBA addresses of a partition.
4) last two bytes are "magic bytes" 55AA

The GPT is an evolution of the same approach, the full spec are inside the very large UEFI specifications, basically, it spans over several sectors:
1) the first 440 bytes are blank
2) the disk signature and following two unused bytes are kept the same for backwards compatibility
3) the partition table is kept the same, still for backwards compatibility, but it has a single entry, with a "protective" filesystem ID of EE, spanning the whole size of the device minus the first sector
4) the magic bytes are kept the same for backwards comparibility
5) the real fun starts on second sector, where the main GPT header table is, followed in a number of sectors by partition entries, each taking 128 bytes, composed of a GUID, LBA address and a checksum.
6) the whole stuff is replicated (in inverted order) at the end of the device
The layout is very clear in the image here:
en.wikipedia.org/wiki/...tion_Table

For some good data about MBR check:
www.win.tue.nl/~aeb/partitions/
then:
thestarman.pcministry....index.html
browse around, a number of pages will be useful, particularly:
thestarman.narod.ru/asm/mbr/GPT.htm

Then, for GPT, check first thing:
www.rodsbooks.com/gdisk/
again browse around, a number of pages will be useful

Then, go through:
www.digitalforensics.c...kkel09.pdf

Besides reading the above, I would suggest you to experiment with a hex disk editor/viewer and with gdisk on some real device(s).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 1