Monday, 21 June 2010

Partition Tables

Parsing a partition record is surprisingly easy. The first step is to read the master boot record (MBR) for an image, and specifically the bytes from 0x01BE onwards: this is the partition table itself. These contain up to four-byte records that indicate the starting points of either the individual partition, or further ('extended') partition tables.

A typical partition table could be:
  • Address of partition 1
  • Address of partition 2
  • Address of partition 3
  • Address of next partition table
Although this demonstrates why the fourth partition onward is always described as being in an extended partition, it also shows why it not possible to ascertain at this point whether the pointer is to a partition, or an extended partition table. This can only be worked out when reading the partition record itself; its structure, with the first byte being numbered zero, is as follows:
  • Bytes 8 to 11 are the starting sector of the drive (or next partition table);
  • Bytes 12 to 15 are the size of the partition; and,
  • Where byte 4 equals 0x05 or 0x0F, this indicates that this is an extended partition.
In the case of an extended partition, the partition table will then generally be laid out as:
  • Address of partition 4
  • Address of next partition table
  • Blank record (pointing to a partition of size zero)
  • Blank record (pointing to a partition of size zero)
It is through this list, going from one partition table to the next, that we can gather information regarding every single partition on a drive image. Note that although convention dictates that the final record of the table (fourth for in the MBR, second in extended partitions) is the pointer, there is nothing that specifies that this has to be the case; therefore, VeRa is written to handle any combination of partition record and extended partition.

Once the partition records have all been collected, it is then be possible to read individual partitions and work out which, if any, filesystem is installed. This, again, is a simple process of deduction:
  • Read bytes 0x26 and 0x42 from the partition.
  • If byte 0x42 is 0x28 or 0x29, then the filesystem type is in the eight bytes starting at address 0x52.
  • If byte 0x26 is 0x28 or 0x29, then the filesystem type is in the eight bytes starting at address 0x36.
  • If byte 0x26 is 0x80, then the filesystem type is NTFS.
(note that this is a very simplified version that doesn't go into details of why these specific values are checked. Jonathan de Boyne Pollard goes into far more detail and the reasons behind why this works.)

No comments:

Post a comment