MBR and GUID

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.

MBR and GUID

Post Posted: Mon Jan 01, 2018 3:00 pm

Guys, could you please direct me what books and documentation I could have read to deeply dive in understanding of GUID and MBR?

Thank you!

mhibert
Newbie

    Re: MBR and GUID

    Post Posted: Tue Jan 02, 2018 4:51 am

    - mhibert
    Guys, could you please direct me what books and documentation I could have read to deeply dive in understanding of GUID and MBR?

    Thank you!

    I guess by GUID you are referring to GPT style partitioning?Question

    There is not much "depth".
    The MBR is 512 bytes, of which:
    1) the first 440 bytes are "code"
    2) the following 4 bytes are Disk Signature (present in any and all NT based systems), followed by two unused bytes
    3) following at offset 446 is the partition table, 4 entries, each 16 bytes containing filesystem "pseudo" ID, CHS and LBA addresses of a partition.
    4) last two bytes are "magic bytes" 55AA

    The GPT is an evolution of the same approach, the full spec are inside the very large UEFI specifications, basically, it spans over several sectors:
    1) the first 440 bytes are blank
    2) the disk signature and following two unused bytes are kept the same for backwards compatibility
    3) the partition table is kept the same, still for backwards compatibility, but it has a single entry, with a "protective" filesystem ID of EE, spanning the whole size of the device minus the first sector
    4) the magic bytes are kept the same for backwards comparibility
    5) the real fun starts on second sector, where the main GPT header table is, followed in a number of sectors by partition entries, each taking 128 bytes, composed of a GUID, LBA address and a checksum.
    6) the whole stuff is replicated (in inverted order) at the end of the device
    The layout is very clear in the image here:
    en.wikipedia.org/wiki/...tion_Table

    For some good data about MBR check:
    www.win.tue.nl/~aeb/partitions/
    then:
    thestarman.pcministry....index.html
    browse around, a number of pages will be useful, particularly:
    thestarman.narod.ru/asm/mbr/GPT.htm

    Then, for GPT, check first thing:
    www.rodsbooks.com/gdisk/
    again browse around, a number of pages will be useful

    Then, go through:
    www.digitalforensics.c...kkel09.pdf

    Besides reading the above, I would suggest you to experiment with a hex disk editor/viewer and with gdisk on some real device(s).

    jaclaz


    - In theory there is no difference between theory and practice, but in practice there is. - 

    jaclaz
    Senior Member
      Page 1 of 1




      ± Forensic Focus Partners

      ± Your Account



      Site Members:

      New Today: 0 Overall: 33343
      New Yesterday: 3 Visitors: 220

      ± Follow Forensic Focus

      Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

      RSS feeds: News Forums Articles

      ± Latest Articles

      ± Latest Webinars


      Build a Mobile Site
      View Site in Mobile | Classic
      Share by: