3.2. Vol_Analysis

Download Report

Transcript 3.2. Vol_Analysis

Volume Analysis – Intro
Chapter 4, Carrier
1. Volume structure
2. Volume analysis
3. Volume recovery
http://blogs.sans.org/computer-forensics/2010/07/28/windows-7-mbr-advanced-format-drivese512/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr-advanced-formatdrives-e512st.txt
Nomenclature

Windows


Partitions are referred to as “Volumes”
The rest of the world

Partitions are referred to as partitions

Volume is a physical drive

VG – Volume Group is a logical grouping of
partitions managed by the LVM
Volume Functions



A volume is a collection of addressable sectors that
can be used for storage
Assemble multiple storage volumes into one.
Partition a storage volume into independent
partitions
Partitions, Named Volumes
Windows Example
Hard Disk Volume
Partition 1
C: Volume
Partition 2
D: Volume
Partition 3
E: Volume
Thanks to Priscilla
Source: B. Carrier
Partitions

A partition is a collection of consecutive sectors in a
volume


A partition is also a volume
A partition's parent volume is the volume in
which the partition is located
Partition Systems

Structure of partition system is OS dependent

Independent of the disk/interface

Most volumes have a partition table



Each entry describes the location, size and type of partition
Usually there is nothing that distinguishes the beginning or end of
a partition
If the volume is one partition, the partition table is often missing.
Generic Partition Table
Ending
Sector
File
System
Type
0
99
FAT
100
249
NTFS
300
599
NTFS
Starting
Sector
Volume Assembly

Some OS's force each device/disk to be a volume


Windows and DOS
Some of the more robust OS's use volume assembly to make
many/all disks look like one volume.

Unix and derivations
Windows Mount Points
C:
Volume 1
\Program Files\
\Windows\
D:
E:
CD-ROM
Volume 2
\Torture Office\
Unix Mount Points
/
Volume 1
/etc/
/mnt/cdrom/
CD-ROM
/tmp/
/usr/
Volume 2
Sector Addressing


LBA – Logical Block Address is a physical sector
address beginning at 0 which is the first sector of the
disk.
LVA – Logical Volume Address is the address of a
sector relative to the start of its volume.

Distinguish between disk and partition


Logical disk volume address
Logical partition volume address
Addressing Terminology
Partition 1 Starting
Address: 0
Physical address: 100
Logical Disk Volume Address: 100
Logical Volume Part. Address: 100
Partition 2
Starting
Address: 864
Physical address: 964
Logical Disk Volume Address: 964
Logical Volume Part. Address: 100
Physical address: 569
Logical Disk Volume Address: 569
Logical Volume Part. Address: N/A
Volume Analysis
Partition layout of the volume is important
Consistency
Corruption
Unallocated space
Evidence
Recovery
Techniques
Data in a partition is likely to be a file system.
Data in sectors not in a partition is likely to be data
left over from a previous life
Using dd we can create a file for each partition
Using dd we can also create files of consecutive
unallocated sectors
Consistency Checks
Consecutive collections of sectors, utilizing the entire
disk/device
Consecutive collections of sectors, not utilizing the
entire disk/device
Over lapping collections of sectors
Missing partition tables or corrupted tables,
intentional or accidental
DOS Partitions


MBR is the first 512-byte sector

Boot code (Bytes 0-445)

Partition table (bytes 446-509)

Signature (bytes 510-511, value =
0xAA55)
Partition table has four entries
DOS Disk
Partition 1
Partition Table
Partition 2
Extended Partitions
Partition 1
Partition 2
Partition Table
First Extended Partition is always number 5.
Extended Partition
Extended Partitions
Partition
Partition
Extended Partition
Partition
Extended Partition
Partition
Extended Partition
Partition
Master Boot Sector/Record

First sector of the device

Contains boot code

Contains the partition table

Last byte is 0x55AA
MBS Structure
000
1BD
Boot code – Master Boot Record, MBR
1BE
1CD
1st Partition Entry
1CE
1DD
2nd Partition Entry
1DE
1ED
3st Partition Entry
1EE
1FD
4st Partition Entry
1FE
1FF
Signature value = 0x55 aa
Partition Table

Four 16-byte Entries

Each entry describes a partition

Bootable flag (0x80 means bootable)

Starting CHS address

Partition type

Ending CHS address

Starting LBA address

Size (number of sectors in partition)
Partition Entry Structure
00
00
Bootable flag: 0x80 – bootable, 0x00 – not bootable
01
03
Starting CHS Address – (C, H, S)
04
04
Partition type – 0x83 = linux, 0x82 = swap
05
07
Ending CHS Address
08
0B
Starting LBA Address
0C
0F
Size in Sectors

0
Empty
1e
Hidden W95 FAT1 80
Old Minix

1
FAT12
24
NEC DOS
81
Minix / old Lin bf
Solaris

2
XENIX root
39
Plan 9
82
Linux swap / So c1
DRDOS/sec (FAT-

3
XENIX usr
3c
PartitionMagic
83
Linux
c4
DRDOS/sec (FAT-

4
FAT16 <32M
40
Venix 80286
84
OS/2 hidden C:
c6
DRDOS/sec (FAT-

5
Extended
41
PPC PReP Boot
85
Linux extended
c7
Syrinx

6
FAT16
42
SFS
86
NTFS volume set da
Non-FS data

7
HPFS/NTFS
4d
QNX4.x
87
NTFS volume set db
CP/M / CTOS / .

8
AIX
4e
QNX4.x 2nd part 88
Linux plaintext de
Dell Utility

9
AIX bootable
4f
QNX4.x 3rd part 8e
Linux LVM
df
BootIt

a
OS/2 Boot Manag 50
OnTrack DM
Amoeba
e1
DOS access

b
W95 FAT32
OnTrack DM6 Aux 94
Amoeba BBT
e3
DOS R/O

c
W95 FAT32 (LBA) 52
CP/M
BSD/OS
e4
SpeedStor

e
W95 FAT16 (LBA) 53
OnTrack DM6 Aux a0
IBM Thinkpad hi eb
BeOS fs

f
W95 Ext'd (LBA) 54
OnTrackDM6
a5
FreeBSD
ee
EFI GPT

10
OPUS
55
EZ-Drive
a6
OpenBSD
ef
EFI (FAT-12/16/

11
Hidden FAT12
56
Golden Bow
a7
NeXTSTEP
f0
Linux/PA-RISC b

12
Compaq diagnost 5c
Priam Edisk
a8
Darwin UFS
f1
SpeedStor

14
Hidden FAT16 <3 61
SpeedStor
a9
NetBSD
f4
SpeedStor

16
Hidden FAT16
GNU HURD or Sys ab
Darwin boot
f2
DOS secondary

17
Hidden HPFS/NTF 64
Novell Netware
b7
BSDI fs
fd
Linux raid auto

18
AST SmartSleep
Novell Netware
b8
BSDI swap
fe
LANstep

1b
Hidden W95 FAT3 70
DiskSecure Mult bb

1c
Hidden W95 FAT3 75
PC/IX
51
63
65
93
9f
be
Boot Wizard hid ff
Solaris boot
BBT
Partition Types
Decoding Partition Tables
Gotchas

Decimal or Hex?

Little Endian or Big Endian?


Output to text? How do you get the text
back to the “lab” for analysis?
Output to file? Where will you put it?
Don’t write to suspect’s HD!
The Whole MBR
>fdisk /dev/hda
>x
>d
0000000:
0000010:
0000020:
0000030:
0000040:
0000050:
0000060:
0000070:
0000080:
0000090:
00000a0:
00000b0:
00000c0:
00000d0:
00000e0:
00000f0:
0000100:
0000110:
0000120:
0000130:
0000140:
0000150:
0000160:
0000170:
0000180:
0000190:
00001a0:
00001b0:
00001c0:
00001d0:
00001e0:
00001f0:
eb48
0000
0001
22c0
8000
7c00
3cff
7454
aa75
8b4c
0410
7066
05bb
84f0
88f0
88f4
66a1
66f7
540d
8a74
2a8c
31ff
00eb
00be
656f
6164
10ac
0000
0100
010d
ffff
ffff
906c
0000
f122
0001
0080
0031
7402
b441
43a0
10be
00c7
31c0
0070
00e9
4066
4089
447c
7404
c0e2
0bbb
c38e
fcf3
0ebe
937d
6d00
0020
3c00
0000
83fe
83fe
82fe
83fe
6261
f468
c000
be22
5194
c08e
88c2
bbaa
417c
057c
4402
8944
eb7d
8d00
8944
4408
6631
8854
068a
0070
0648
a51f
847d
e82a
4861
4572
75f4
0000
3f0c
ffff
ffff
ffff
4c49
743d
0101
c000
0000
d88e
52be
55cd
84c0
c644
0100
0466
b408
be05
0431
31c0
d266
0b89
4c0a
8ec3
7c60
61ff
e838
00eb
7264
726f
c300
0000
3f00
cd2f
45e1
0403
4c4f
f222
445a
01bf
0008
d0bc
797d
135a
7505
ff01
6689
8944
cd13
7cc6
d288
88d0
f734
440c
fec1
31db
1eb9
2642
00eb
fe47
2044
7200
0000
0100
0000
0300
d701
f701
0100
c000
f522
22c0
fa80
0020
e834
5272
83e1
668b
5c08
0cb4
730a
44ff
cac1
c0e8
8854
3b44
08d1
b801
0001
7cbe
06be
5255
6973
bb01
0000
0000
8e2f
78b1
bf21
fc4f
1504
01f3
c000
0001
ca80
fba0
01f6
4981
0174
1e44
c744
42cd
f6c2
0066
e202
0266
0a66
087d
8a6c
02cd
8edb
7f7d
8e7d
4220
6b00
00b4
0000
0000
0300
d401
1f00
b102
5a00
22c0
01f6
0302
ea53
407c
c280
fb55
3766
7cc7
0600
1372
800f
31c0
88e8
8904
31d2
3c8a
0c5a
1372
31f6
e840
e830
0047
5265
0ecd
0000
8001
0000
00fe
00fe
55aa
.H.lbaLILO....Z.
.....ht=."....".
..."....DZ."....
"...."....".....
....Q..........S
|..1....... ..@|
<.t...R.y}.4....
tT.A..U..ZRrI..U
.uC.A|..u....t7f
.L...|.D..f..D|.
....D...f.\..D..
pf1..D.f.D..B..r
...p.}....s.....
........|.D..f1.
[email protected]........
[email protected]..
f.D|f1.f.4.T.f1.
f.t..T..D.;D.}<.
T.....L......l.Z
.t...p..1......r
*....H|`......1.
1.....a.&B|..}.@
.....}.8.....}.0
...}.*...GRUB .G
eom.Hard Disk.Re
ad. Error.......
..<.u...........
................
....?.?..../....
......./..x.....
......E....!....
...........O..U.
Use Unix/Linux dd Utility to View
Partition Table

dd if=/dev/hda bs=512 count=1 | xxd

Partition table starts at 446 decimal = 0x1be
0000000: eb48 9010 8ed0 bc00 b0b8 0000 8ed8 8ec0
.H..............
{skip}
00001b0: 0000 0000 0000 0000 786b 786b 0000 8001
........xkxk....
00001c0: 0100 0cfe fffe 3f00 0000 82c8 7302 0000
......?.....s...
00001d0: 8101 82fe bf40 c1c8 7302 40b0 0f00 0000
[email protected].@.....
00001e0: 8141 83fe ff00 0179 8302 c018 2502 0000
.A.....y....%...
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa
..............U.
Partition Table Entries
Try Decoding It By Hand…
#
1
2
3
4
Flag
Type
Starting LBA Address
Size
Little Endian
Partition Table Entries
#
Flag
Type
Starting LBA Address
Size
1
0x80
0x0C
0x0000003F
0x0273C882
2
0x00
0x82
0x0273C8C1
0x000FB040
3
0x00
0x83
0x02837901
0x022518C0
4
0x00
0x00
0x00000000
0x00000000
Partition Table Entries
#
Flag
Type
Starting LBA Address
1
0x80
0x0C
0x0000003F
2
Bootable
3
0x00
0x83
0x02837901
0x022518C0
4
0x00
0x00
0x00000000
0x00000000
FAT
63
Size
0x0273C882
~21 GB
Partition Table in English

Partition 1

Bootable (0x80 at byte 0)

Type is Fat32 (0x0C at byte 4)

It starts at sector 3F, LBA (63 in decimal)

Its size is 0x0273C882 sectors

About 41 million sectors in decimal

41M x 512 bytes = 20,992,000,000 = ~21 GB
Partition Table in English (cont.)

Partition 2

Not bootable (0x00 at byte 0)

Type is Linux Swap (0x82 at byte 4)

It starts at sector 41,142,465 in decimal

Its size is 0x000FB040 sectors

About 1 million sectors in decimal

1M x 512 bytes = 512,000,000 = ~.5 GB
Partition Table in English (cont.)

Partition 3

Not bootable (0x00 in byte 0)

Type is Linux (0x83 at byte 4)

It starts at sector 42170625 in decimal

Its size is 0x022518C0 sectors


About 36 million sectors in decimal
36M x 512 bytes = 18,432,000,000 = ~18.5
GB
Partition Types Info
http://www.win.tue.nl/~aeb/partitions/partition_types-1.html
Real Example

FAT 32 thumb drive, .5 Gb
Windows MBR
Boot flag
Type
C, H, S
Start LBA
Size (sectors)
A cautionary tale:
Little Endian!
Use fdisk to View Table
root@ttyp0[knoppix]# fdisk /dev/hda
Command (m for help): p
Disk /dev/hda: 255 heads, 63 sectors, 4865 cylinders
Nr AF
Hd Sec
Cyl
Hd Sec
Cyl
Size ID
1 80
1
1
0 254
2 00
0
1
513 254
63
576 41142465
3 00
0
1
577 254
63
768 42170625 35985600 83
4 00
0
0
0
0
63 1022
Start
0
0
63 41142402 0c
0
1028160 82
0 00
Extracting Partition Table
fdisk – Linux and DOS, Windows
>fdisk /dev/hda
>p
Disk /dev/hda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot
/dev/hda1
*
/dev/hda2
/dev/hda3
Start
1
14
1926
End
13
1925
2052
Blocks
104391
15358140
1020127+
Id
83
83
82
>x
>p
Disk /dev/hda: 255 heads, 63 sectors, 4864 cylinders
Nr
1
2
3
4
AF Hd Sec Cyl Hd Sec Cyl
80
1
1
0 254 63
12
00
0
1
13 254 63 1023
00 254 63 1023 254 63 1023
00
0
0
0
0
0
0
Start
63
208845
30925125
0
Size ID
208782 83
30716280 83
2040255 82
0 00
System
Linux
Linux
Linux swap
Lab

Image the MBR of the RED USB drive
in the lab

Show why it is a MBR

Decode the partition table