Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Partition Boot Record

advertisement 
BACS 371
Computer Forensics
Files, Partitions & File Systems
Data Hierarchy
Computer
Hard Disk Drive
Partition
File
Physical File
Logical File
Cluster
Sector
Word
Byte
Bit
File





Collection of Information written to a disk
Generally created in an application-specific format
Occupies a fixed number of clusters
Each file’s cluster has a pointer to the next cluster in
the file
The final cluster contains the End of File (EOF)
marker
Files

Logical File Size


Physical File Size


Exact size of contents of file in bytes
Amount of space a file occupies on disc in bytes
Disk Slack
Unused space between logical end of file and physical end
of a cluster
 This is different from RAM slack which we will discuss next

Physical File Size
<- Logical File Size ->
<- Disk Slack ->
Disk & Ram Slack Example
File Contents:
“Hello world!”
12 bytes
3rd Sector
1st Sector
2nd Sector
RAM Slack:
512 bytes – 12 bytes = 500 bytes
Disk Slack:
4096 Bytes – 512 Bytes
= 3584 Bytes
Assumptions:
• Sector Size = 512 Bytes
• Cluster Size = 4KB = 8 Sectors
Partitions





A partition is a logical volume within a physical
volume (i.e., disk).
The Master Boot Record (MBR) of a disk defines the
partitions found on the physical disk.
An MBR can define 4 primary partitions (max).
These partitions can be defined as “logical
partitions.”
Logical partitions are capable of being further
subdivided into smaller logical partitions.
Master Boot Record (MBR)
Executable Code
•
•
•
•
Machine Language Code
Processor Specific
Decodes Partition Table
446 bytes long
446
Partition Table
• 4 Entries
• First Entry Starts at
offset 0x01BE
MBR “Signature”
• 0x55AA
Disk Partitions (Physical and extended)
Master
Boot
Record
3rd Partition
(Extended)
2nd Partition
(physical)
Unallocated
space
PBR
1
1
2
2
3
3
4
4
PBR
1st Partition
(physical)
Extended
MBR
Logical
Partition
#1
PBR
Logical
Partition
#2
PBR
Logical
Partition
#3
PBR
PBR = Partition
Boot Record
Partition Layout
http://www.microsoft.com/library/media/1033/tech
net/images/prodtechnol/winxppro/reskit/ch28/f28zs
07_big.jpg
Extended
Partition Layout
http://www.microsoft.com/library/media
/1033/technet/images/prodtechnol/winx
ppro/reskit/ch28/f28zs07_big.jpg
MBR with Extended Boot Record
446
Extended Boot Record
446
FAT File System
File Systems
(See http://www.ntfs.com)


A method for storing and organizing computer files and the
data they contain to make it easy to find and access them
File System Types

FAT (File Allocation Table)






FAT12
FAT16
FAT32
exFAT
NTFS (New Technology File System)
Functions



Manage “free space”
Allocate clusters to file
Track time (MAC – Modify, Access, Create)
A FAT file system is composed of four
different sections.




The Boot Sector (aka Partition Boot Record, BIOS Parameter Block, Drive Parameter
Block or Reserved Sector). This is always the first sector of the partition and includes
some basic file system information (in particular, its type), pointers to the location of
the other sections and the operating system's boot loader code.
The FAT Region. This contains two copies of the File Allocation Table for the sake of
redundancy, although the extra copy is rarely used, even by disk repair utilities.
These are maps of the partition, indicating how the clusters are allocated.
The Root Directory Region. This is a Directory Table that stores information about the
files and directories in the root directory. With FAT32 it can be stored anywhere in
the partition, however with earlier versions it is always located immediately after the
FAT Region.
The Data Region. This is where the actual file and directory data is stored and takes
up most of the partition. The size of files and subdirectories can be increased
arbitrarily (as long as there are free clusters) by simply adding more links to the
file's chain in the FAT. Note however, that each cluster can be taken only by one file,
and so if a 1KB file resides in a 32KB cluster, 31KB are wasted.
FAT File System
Partition
Boot
Sector
FAT 1
FAT 2
(Duplicate)
Root
Other folders and
Directory all files
This is all contained within a partition.
Partition Boot Record
AKA File System Boot Sector

The first physical sector in a logical volume
C

0, H 1, S 1 for first partition
Contains
 Code
 File
System Specification Information
Partition Boot Record (PBR)
BIOS Parameter
Block
Executable Code
•
•
•
•
Machine Language Code
Processor Specific
Decodes BPB
Searches for OS
PBR “Signature”
• 0x55AA
Partition Boot Record (FAT32 File system)



010 - 210
310 - 1010
1110 - 8310
Jump Instruction (3 bytes)
OEM ID (8 Bytes)
BIOS Parameter Block (BPB)
(includes all below plus additional fields)
all offsets in this section are from start of the BPB counting from 0
offset 1110
offset 1310
offset 2110
offset 2410
offset 2610
offset 2810
offset 3210
Bytes Per Sector
Sectors Per Cluster
Media Descriptor
Sectors Per Track
Number of Heads
Hidden Sectors
Total Sectors

6210 - 51110

Ends with 55 AA
2 Bytes
1 Byte
1 Byte
2 Bytes
2 Bytes
4 Bytes
4 Bytes
Bootstrap Code (448 Bytes)
NOTE: Offsets are from start of Partition, not start of Drive!
Decoding a Partition Boot Record (BIOS Parameter Block – BPB)
Jump Instruction
OEM Name
Bytes Per Sector
Sectors Per Cluster
• Offset 0 10
• 3 bytes
• Offset 3 10
• 8 bytes
• Decode as ASCII
•“MSDOS5.0”
• Offset 11 10
• 2 bytes
• Decode as Number
• (Swap “endian”)
• 0x0200 = 512
• Offset 13 10
• 1 byte
• Decode as Number
• 0x08 = 8
• 8 * 512 = 4096 bytes/cluster
Media Type
Heads
• Offset 21 10
• 1 byte
• Decode from Table
• 0xF8 means HD
• Offset 26 10
• 2 bytes
• Decode as Number
• (Swap “endian”)
• 0x00FF = 255
Total Sectors
• Offset 32 10
• 4 bytes
• Decode as Number
• (Swap “endian”)
• 0x000E37BA = 931,770
• 477,066,240 Bytes
Sectors per Track
FAT Size (Sectors)
File System Type
• Offset 36 10
• 4 bytes
• Decode as Number
• (Swap “endian”)
• 0x0000038D = 909
• 465,408 Bytes (*512)
• 58,176 Entries (/4)
• 238,288,896 bytes addressed
(*4096)
• Offset 82 10
• 8 bytes
• Decode as ASCII
•“FAT32 ”
• Offset 24 10
• 2 bytes
• Decode as Number
• (Swap “endian”)
• 0x003F = 63
Partition Boot
Sector
Decoded
File Allocation Table


A partition is divided up into identically sized clusters, small blocks of
contiguous space. Cluster sizes vary depending on the type of FAT file
system being used and the size of the partition, typically cluster sizes lie
somewhere between 2KB and 32KB. Each file may occupy one or more of
these clusters depending on its size; thus, a file is represented by a chain of
these clusters (referred to as a singly linked list). However these chains are
not necessarily stored adjacently on the disk's surface but are often instead
fragmented throughout the Data Region.
The File Allocation Table (FAT) is a list of entries that map to each cluster
on the partition. Each entry records one of five things:





the address of the next cluster in a chain
a special end of file (EOF) character that indicates the end of a chain
a special character to mark a bad cluster
a special character to mark a reserved cluster
a zero to note that that cluster is unused
FAT Content

Database of



File names
Directory names
Date and time stamps (MAC)





Starting cluster number
Attributes





Modify
Access
Create
Archive
Hidden
System
Read Only
Located on outermost track of disk
File Allocation Table (FAT)
Directory table



A directory table is a special type of file that represents a directory
(nowadays commonly known as a folder). Each file or directory stored
within it is represented by a 32 byte entry in the table. Each entry records
the name, extension, attributes (archive, directory, hidden, read-only, system
and volume), the date and time of creation, the address of the first cluster
of the file/directory's data and finally the size of the file/directory.
Aside from the Root Directory Table in FAT12 and FAT16 file systems which
occupies the special Root Directory Region location, all Directory Tables are
stored in the Data Region.
Legal characters for DOS file names include the following:





Upper case letters A-Z
Numbers 0-9
Space (though trailing spaces are considered to be padding and not a part of
the file name)
!#$%&()-@^_`{}~'
Values 128-255
Directory to FAT interaction
Root Directory
FAT32

32-bit Cluster Numbers
 Only
28 bits actually used
 Addresses 228 Clusters (~ 268,435,438)
 Drive sizes ~ 1TB (228 clusters * 4096 Bytes per cluster ~
1.1TB)
 WinXP limited to 32GB using FAT32
 Max file size in FAT32 is 232-1 bytes ~ 4GB
Advantages of FAT32 over FAT16




FAT32 offers smaller cluster sizes -> less wasted
space
FAT32 systems can reallocate and change the size
of the root directory
FAT32 drives can contain a copy of the boot
record(s) –> less prone to failure
Allow for long file names
Long File Names “Trick”



Phony entries are added to the Directory Tables
Entries are marked with a volume label attribute
Each phony entry can contain up to 13 UTF-16
characters (26 bytes)
Long File Names Entries
Red entries are short file name entries. Blue are for a long
file name. Read the long filename entries from the bottom to
the top. Note that first byte in each group of long filenames
are 01, 02, 03, 04, 05, and 06 (or’ed with 40 to indicate the
last segment). Filename entries have 0F in 12th byte.
Directory entries have a 10 in this position (indicating a
directory).
FAT Root Directory
Volume ID Directory Entry
Single Directory Entry for a
file with a “short” filename.
Multiple Directory Entries for
a file with a “long” filename.
There are 4 entries to
contain the long file name,
and 1 entry to contain the
complete set of file
information including the
“short” file name.
Designates Attribute Bits
• 0x08 = Volume Label
• 0x20 = Archive
• 0x0F = Long File Name
File System Comparisons
Criteria
Operating System
NTFS5
NTFS
FAT32
FAT16
Windows 2000
Windows XP
Vista, Win 7
Windows NT
Windows 2000
Windows XP
Windows 98
Windows ME
Windows 2000
Windows XP
Vista, Win 7
DOS
All versions of
Microsoft Windows
Limitations
Max Volume Size
2TB
2TB
2TB
2GB
Nearly Unlimited
Nearly Unlimited
Nearly Unlimited
~65000
Limit Only by
Volume Size
Limit Only by
Volume Size
4GB
2GB
Max Clusters Number
Nearly Unlimited
Nearly Unlimited
268435456
65535
Max File Name Length
Up to 255
Up to 255
Up to 255
Standard - 8.3
Extended - up to 255
Max Files on Volume
Max File Size
File System Features
Criteria
Unicode File Names
NTFS5 NTFS FAT32
FAT16
Unicode Character Set
Unicode Character Set
System Character Set
System Character Set
MFT Mirror File
MFT Mirror File
Second Copy of FAT
Second Copy of FAT
Boot Sector Location
First and Last Sectors
First and Last Sectors
First Sector
First Sector
File Attributes
Standard and Custom
Standard and Custom
Standard Set
Standard Set
Alternate Streams
Yes
Yes
No
No
Compression
Yes
Yes
No
No
Encryption
Yes
No
No
No
Object Permissions
Yes
Yes
No
No
Disk Quotas
Yes
No
No
No
Sparse Files
Yes
No
No
No
Reparse Points
Yes
No
No
No
Volume Mount Points
Yes
No
No
No
256 Char
256 Char
256 Char
8.3 Names
System Records Mirror
File Names
Overall Performance
Criteria
NTFS5
NTFS
FAT32
FAT16
Built-In Security
Yes
Yes
No
No
Recoverability
Yes
Yes
No
No
Performance
Low on small
volumes
High on Large
Low on small
volumes
High on Large
High on small
volumes
Low on large
Highest on small
volumes
Low on large
Disk Space
Economy
Max
Max
Average
Minimal on large
volumes
Fault Tolerance
Max
Max
Minimal
Average
Related documents
Four Functions of a Computer:
Four Functions of a Computer:
12hardwarefin
12hardwarefin
The Computer System
The Computer System
partition This term is often used as a synonym for distribution and
partition This term is often used as a synonym for distribution and
Computer Apps 2 and Business
Computer Apps 2 and Business
Digital Forensics
Digital Forensics
Computer Performance Storage Devices & Size
Computer Performance Storage Devices & Size
Download
advertisement
Study collections