coen 152/252 computer forensics apple partitions
TRANSCRIPT
COEN 152/252
Computer Forensics
Apple Partitions
Apple Partition Map
Applies to MAC OS X, MAC OS 9 iPod players Switching to GUID Partition Table (GPT)
To support disk bigger than 2TB
Apple Partition Map
Apple Partition Map Block 0: Driver Descriptor Record
TYPE Block0 = PACKED RECORD sbSig: Integer; {device signature} sbBlkSize: Integer; {block size of the device} sbBlkCount: LongInt; {number of blocks on the device} sbDevType: Integer; {reserved} sbDevId: Integer; {reserved} sbData: LongInt; {reserved} sbDrvrCount: Integer; {number of driver descriptor entries} ddBlock: LongInt; {first driver's starting block} ddSize: Integer; {size of the driver, in 512-byte blocks} ddType: Integer; {operating system type (MacOS = 1)} ddPad: ARRAY [0..242] OF Integer; {additional drivers, if any} END;
Apple Partition Map
Driver Descriptor Record identifies the device drivers installed on a diskStart manager reads the driver descriptor
record during system start-up Uses info to locate and load the appropriate device
driver
Start manager selects the appropriate driver based on the user input
Apple Partition Map
Partition map describes all partitions on a block device.
Allows a single device to support multiple OS. All blocks (with the exception of block 0) belong
to a partition Number of entries in a partition table is not
limited. However, partition table needs to start in block 1
and be contiguous.
Apple Partition MapTYPE Partition = RECORD
pmSig: Integer; {partition signature} pmSigPad: Integer; {reserved} pmMapBlkCnt: LongInt; {number of blocks in partition map} pmPyPartStart: LongInt; {first physical block of partition} pmPartBlkCnt: LongInt; {number of blocks in partition} pmPartName: PACKED ARRAY [0..31] OF Char; {partition name} pmParType: PACKED ARRAY [0..31] OF Char; {partition type} pmLgDataStart: LongInt; {first logical block of data area} pmDataCnt: LongInt; {number of blocks in data area} pmPartStatus: LongInt; {partition status information} pmLgBootStart: LongInt; {first logical block of boot code} pmBootSize: LongInt; {size of boot code, in bytes} pmBootAddr: LongInt; {boot code load address} pmBootAddr2: LongInt; {reserved} pmBootEntry: LongInt; {boot code entry point} pmBootEntry2: LongInt; {reserved} pmBootCksum: LongInt; {boot code checksum} pmProcessor: PACKED ARRAY [0..15] OF Char; {processor type} pmPad: ARRAY [0..187] OF Integer; {reserved}
END;
GUID Partition Table
Defined by a formal standard:Section 11.2.2 “Extensible Firmware Interface
Specification“GUID Partition Table (GPT) Format” of the
“Unified Extensible Firmware Interface Specification, version 2.0
Unified EFI Forum
GPT Overview
Block Description
0 Protective MBR
1 Partition Table Header (primary)
2 thru 2 + b – 1 Partition Entry Array (primary)
2+b thru n-2-b Partition Data
n-2-b+1 thru n-2 Partition Entry Array (backup)
N-1 Partition Table Header
GPT Overview
Protective MBRDefines a single partition entry of type 0xEECovers entire area of diskDesigned to prevent legacy programs from
accidentally modifying a GPT disk
GPT Overview
Partition Table HeaderDefines various aspects of a disk:
GUID to uniquely identify disk starting block of partition entry array size of each partition entry
GPT Overview
Partition Entry ArrayDefines a partition or is all zero when entry is
not used.Stored in a contiguous array on disk
GPT Overview
Partition EntryContains GUID to identify partitionGUID for partition typestart blockend blockpartition name
(Notice: GPT is little-endian)
GPT Overview