Scribd Logo
Upload

Welcome to Scribd!

  • GPT Updated

    Uploaded by

    fawad
    91 views34 pages

    Original Title

    GPT Updated.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    91 views34 pages

    GPT Updated

    Uploaded by

    fawad

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Forensic Analysis of

    GPT Disks
    1. Introduction

    2. Features of GPT Disk

    3. Layout of GPT Disk

    4. Forensic Analysis of
    GPT Disk

    5. Conclusion
    Section 1

    Introduction
    Background
    MBR
     Designed and developed in 1980s
     Storage Requirements were not so high
     Security was not under consideration
     Design was improved with the passage of time to accommodate
    storage requirements but security aspects were never considered

    GPT
     Addresses Storage requirements
     Security requirements
    MBR
    MBR

     Resides in sector “0”


     446 bytes Boot Code
     64 Bytes Partition Tables (16 bytes for each partition)
     2 Bytes Signature Value

    16 bytes partition conation

     01 bytes Bootable Flag


     03 bytes CHS starting address
     01 bytes File system
     03 bytes CHS ending address
     04 bytes LBA starting address
     04 bytes LBA size of partition
    MBR Limitations

    Storage
     Cannot address disk space larger than 2 TB

    232 𝑥 512 = 2 𝑇𝐵

    Security
     Cannot detect tempering to partition tables
    Section 2

    Features of GPT
    GPT Features
     Storage capacity

     Redundancy

     Security

     Allow 128 Primary Partitions (MS)

     Does not allow hidden sectors


    Storage Capacity

    GPT addresses the storage requirements which MBR was unable to do

    MBR Storage Capacity = 232𝑥 512 = 2 𝑇𝐵


    GPT Storage Capacity = 264𝑥 512 = 8 𝑍𝐵
    Redundancy

    There is a back copy of GPT header and Partition table in the last sectors of the
    disk. If header or partition table gets damaged or corrupted OS can fetch the
    information from the backup copy.
    Security

    GPT provide header and partition table integrity by CRC32 checksum.


    Primary Partitions

    In GPT all partitions are primary partitions.

    There is no concept of extended partitions.

    There can be as many partitions as OS allow, Microsoft Windows allows


    128 partitions.
    Hidden Sectors

    GPT does not allow hidden sectors. First partition starts right after the
    partition table.
    Section 3

    Layout of GPT
    Layout of GPT Header
    Layout of GPT Header
    Protective MBR
     To prevent older software tools and utilities from accidentally destroying GUID
    partitions, the Protective MBR was created.

     If a tool doesn't support or recognize GPT, it will at least think that the entire disk is in
    use by another(possibly unknown) partition.

     The protective MBR type is 0xEE and defines a 'placeholder' partition spanning the
    entire disk.
    Description

    GPT Header
    Layout of
    Signat ure Va l u e

    S i ze o f G P T H e a d e r in B y t e s
    CRC32 checksum of G PT header
    Reserved

    L B A of C u r r e n t G P T H e a d e r

    L B A of t h e B a c ku p G P T H e a d e r
    L B A of S ta r t o f Pa r t i t i o n A r e a
    L B A of E n d o f Pa r t i t i o n A r e a

    Disk GUI D
    L B A o f t h e S t a r t o f t h e Pa r t i t i o n Ta b l e

    N u m b e r o f E n t r i e s i n Pa r t i t i o n Ta b l e
    S i ze o f e a c h E n t r y i n Pa r t i t i o n Ta b l e
    C R C 3 2 C h e c k s u m o f Pa r t i t i o n
    Ta b l e
    Reserved
    Layout of Partition Table
    Layout of Partition Table
    Layout of Partition Table
    The 64-bit attribute field is divided into three parts.

    The lowest bit is set to 1 when the system cannot function without this partition. This is
    used to determine if a user is allowed to delete a partition.

    Bits 1 to 47 are undefined

    Bits 48–63 can store any data that the specific partition type wants. Each partition
    type can use these values as they like.
    Section 4

    Forensic Analysis of GPT Disk


    Header & Partition Table Integrity

    First GPT Header and Partition Table Integrity before Tempering

    Backup GPT Header and Partition Table Integrity after` Tempering


    GPT Partition Table
    Tempering

    Tempered First GPT Partition


    Integrity Protection by OS

    WinHex Detected Size Reduction

    No Change detected by the OS


    MBR Tempering

    MBR Partition Table

    Tempering Partition Table

    Partition Size Reduced


    Tempering Backup GPT Partition

    Tempering Backup GPT Partition


    Integrity Protection by OS

    WinHex Detected no Change

    OS Refused to Recognize Partitions


    Data Hidings

    GPT does not allow hidden sectors like MBR does but there are places in GPT disk
    where one can hide data. GPT reserves 32 MB space for MS Reserved partition. One
    can hide data in these 32 MB as OS does not load this partition for the user. This space
    is 128 MB in disks larger than 16 GB which mostly are these days. Another partition
    where one can hide data is partition gap. Partition gap is 47 KB in disks smaller than 16
    GB and 1 MB in disks larger than 16 GB. The unused portions of sector 0, sector 1, and
    any of the unused partition entries could be used to hide data.
    One can also hide data in Start Sector which is 17 KB. Free space from this 47 KB will
    only be available when there are less than 128 partitions
    Data Hidings

    Partition Gap in GPT and MS Reserved Partition < 16 GB

    Partition Gap in GPT and MS Reserved Partition > 16 GB


    Conversion Between MBR and GPT

    Conversion between GPT and MBR is possible. Windows does not allow conversion if
    there is data in any of the partition. Conversion can be performed after emptying the
    partition which means that lossless conversion is not possible using Windows utilities.
    There are third party software available which can perform conversion without losing
    data and AOMEI Partition Assistant is one of them.

    When MBR is converted to GPT the MBR partition table is replaced with GPT
    protective MBR and GPT headers, partition tables are created according to GPT
    partitioning scheme. If there are more Extended Partitions in MBR all partitions will be
    converted to primary partitions as there is no concept of extended partitions in GPT.
    Conversion Between MBR and GPT

    When GPT is converted to MBR the protective MBR is replaced with MBR’s typical
    sector zero containing boot code and partition tables. GPT headers will remain
    intact but partition tables will be destroyed. If there are more than four partitions
    then GPT to MBR conversion is not possible because there cannot be more than
    four primary partitions in MBR.
    Comparison Between MBR & GPT
    Number Feature MBR GPT

    01 Backup Partition Table No Yes

    02 Integrity Protection No Yes

    03 Number of Primary Partitions 04 128

    04 Partition Gap No Yes


    05 Maximum Size 2 TB 8 ZB
    06 Unique Disk and Partition Identifier No Yes

    07 Bootable on Legacy Systems Yes Enable UEFI to boom from


    GPT
    08 Resistant against Partition Tempering Not Resistant Resistant until One Table is
    Untempered

    09 Hidden Sectors Allowed Not Allowed


    10 MS Reserved Partition No Yes

    11 Minimum size 3 MB 128 MB


    12 Physical Addressing Yes No
    Conclusion

     GPT is introduced to address the storage capacity and security issues of MBR.
    GPT has many advantages on MBR which have been discussed in detail. GPT is yet
    not as common as it should be, it is because it is not as much compatible as MBR
    when it comes to booting from the partition. To boot from GPT partitions the system
    must support UEFI, Windows allow only 64bit OS to boot from GPT. GPT does not
    allow hidden partitions but it provides some space under MS Reserved partition and
    partition gap where data can be hidden. The main features of GPT is its storage
    capacity and integrity protection. Forensic software were designed for MBR disks,
    they do work with GPT but not intelligently. Forensic software need up gradation so
    that they can also detect the violation of integrity and other changes made to
    GPT disks.

    You might also like