At Fig. 5.26 is shown a hexadecimal listing of part of the master boot record (MBR) from a typical hard disk. As we have seen, the MBR is held at cylinder 0, head 0, sector 1 on the hard disk and it is, like nearly all sectors on modern hard disks, 512 (or 200h) bytes long. In the listing we have shown two parts of the sector: the first part is from addresses 00h to 2fh and the second part is from addresses 160h to 1ffh, which is at the end of the sector.
As we outlined above, the POST/boot sequence causes this sector to be loaded into memory at address 0000:7C00 (07C00) onwards and it then causes a jump to the first address at offset 00h executing what it finds there as code. In fact, for the example in Fig. 5.26, all the bytes up to 1bdh form the partition analysis program, which is here
different from the standard FDISK version because an EZ-Drive DDO has been installed on this disk. We can infer that this is the case by looking at the text bytes that start at 19ch and read: “(C)1993-95 Micro House Int’l”. The standard FDISK version of the partition analysis program extends only from 00h to d9h with zeros from that point on to 1bdh. For an excellent exposition of how the standard partition analysis program works, see Landis (1997a).
Detailed examination of the analysis program shows that it simply searches the four entries in the partition table for an active partition. If an active partition is found, it continues to look at the remaining entries to make sure that there is only the one active entry, otherwise it displays the message “Invalid Partition Table”. If there is only one active entry, it uses an INT 13h call to fetch the boot sector that is specified by the CHS start address of that entry, and it overwrites the memory area from 0000:7C00 (07C00) with this new sector. It then jumps to the first address at offset 00h of the sector keeping a pointer to the active partition table entry.
The partition table always starts at offset address 1beh in the master boot record sector. There can only be four entries in the master boot record partition table and each entry is 16 bytes long. The first entry of our example master boot record is shown outlined in Fig. 5.26. The four entries take us to offset address 1fdh in the sector and the final two bytes71of the partition table are always of value 55h and aah, as shown.
At Table 5.16 is shown the use of each of the bytes in the partition table entry. The first byte is theboot flag, which indicates whether or not the partition is active, the value being either 80h for active or 00h for not. It is useful to note that it is this boot flag value which is used to identify the device in the INT 13h call72to fetch the boot sector of the active partition. Because the active flag is always 80h, this is one of the
Offset Meaning Notes
00 1 byte boot flag 80h = active (bootable) 00h = inactive (not bootable) 01–03 3 bytes start of partition h7–h0 | c9 c8 s5–s0 | c7–c0
max: c 1023, h 255, s 63
04 1 byte partition type 0 = not used, 1 = DOS 12 bit FAT, 4 = DOS 16 bit FAT, 5 = Extended DOS, 6 = DOS > 32 Mbyte and many more 05–07 3 byte end of partition h7–h0 | c9 c8 s5–s0 | c7–c0
max: c 1023, h 255, s 63
08–0b 4 bytes LBA address of start sector relative to start of disk (little endian) 0c–0f 4 bytes number of sectors in the partition (little endian)
Table 5.16 Partition table entry.
71 Many systems will refuse to boot if these two bytes are not set to 55aah. This has been used by one imaging company in the past to set what they call a “Diblock” on a disk to prevent it from being further accessed by replacing 55aah with 55cfh in the MBR. 72 The value is loaded into the DL register.
reasons why, on some older systems, only the first hard disk, that is the device with the identifier 80h, could be used as the boot drive.
The next three bytes starting from offset 01h hold the CHS start address of the partition, that is, where the boot sector is. All eight bits of the first byte, offset 01h, are used to represent the heads value, giving a maximum of 256 heads (0 to 255). The two most significant bits of the second byte, offset 02h, together with the 8 bits of the third byte, offset 03h, form the 10 bit value for cylinders, giving a maximum of 1024 cylinders (0 to 1023). Finally, the remaining 6 bits of the second byte, offset 02h, form the sectors value with a maximum of 63 sectors (1 to 63). First we may note that this is exactly the same format as that used for the ID field at Fig. 5.4 and also the same format as that used by the INT 13h registers, where offset 01h equates to the DH register, offset 02h equates to the CL register and offset 03h equates to the CH register. This is not really surprising; the designers of the partition table decided to hold these values in a form that would simplify loading into and out of the INT 13h registers.
Secondly, we may note that we have here come up against the 528 Mbyte barrier again. More importantly we see that if the drive is larger than 528 Mbyte, then the CHS addresses that are held in the partition table must betranslatedaddresses, that is, what we have earlier called L-CHS addresses rather than P-CHS addresses. Finally, we may note that the boot sector for the active partition cannot normally73reside beyond cylinder 1024.
The next byte, at 04h, indicates the type of partition. Although only five types are shown in Table 5.16, there are in fact many more than this, with a possible maximum of 256. Because of the importance of these types to the forensic computing analyst in helping to identify the use to which the partition is being put, a detailed list of all those currently known74is given at Appendix 5.
At offset 05h, another three bytes are used to specify the CHS address of the last sector of the partition, in exactly the same format as that used for the start address. Naturally, the same comments apply about this having to a be a translated CHS address if the disk size is greater than 528 Mbyte.
At offset 08h, four bytes are used to represent the start sector in LBA address form, that is, as a single number relative to the start of the disk, with the first sector on the disk being LBA 0. One word of caution might be appropriate here. In calculating this value it is essential to remember that it is held in little endian format. Finally, the last four bytes, commencing at offset 0ch, represent the number of sectors in the partition, again, held in little endian format.
This analysis allows us now to determine the meaning of all the entries in the partition table at Fig. 5.26. At 1beh the value 80h identifies this entry as the entry for the active partition. The following three bytes, at 1bfh to 1c1h, describe the starting CHS address of this active partition as cylinders 0, heads 1, sectors 1, and these may be calculated as follows:
73 Some more modern boot loaders are able to overcome this limitation. 74 An updated list can be found athttp://www.win.tue.nl/~aeb/partitions/
Address Value Interpretation Result
1bfh 01h = 00000001 = heads = 1 H 1c0h 01h = 000001 = sectors = 1 S
=00 = cylinders
1c1h 00h = 00000000 = cylinders = 0 C
At 1c2h we note that the partition type is 06h, which is a DOS partition greater than 32 Mbyte, sometimes known as BIGDOS. Then the three bytes at 1c3h to 1c5h describe the CHS address of the end of the partition as cylinders 255, heads 63 and sectors 63 in the following way:
Address Value Interpretation Result
1c3h 3fh = 00111111 = heads = 63 H 1c4h 3fh =0 0111111 = sectors = 63 S
=00 = cylinders
1c5h ffh = 11111111 = cylinders = 255 C
Starting at 1c6h we have the four bytes of the LBA address as 3f 00 00 00. Recalling that this number is held in little endian format, we reorder these to be 00 00 00 3f and calculate the number as 3fh = LBA sector 63. Similarly, at 1cah we have the four bytes of the partition size as c1 bf 0f 00 and again, reordering these gives us 00 0f bf c1 which is fbfc1h = 1,032,129 sectors. With a sector size of 512 bytes this results in a partition size of 1,032,129 × 512/(1024 × 1024) = 504 Mbyte.
At Fig. 5.27 is shown the Norton Disk Editor (Symantec, 1999) “partition table view” of the same partition table. It is particularly important to note that Norton Disk Editor usesSideforHeadand lists the table inSide Cylinder Sectororder and not in the CHS order that we (in common with most other writers) have been using throughout. Since Norton Disk Editor is an important tool, which we use quite frequently, this is a major potential source of confusion and should be well noted. It is
Physical Sector: Cyl 0, Side 0, Sector 1
+---+----+---+---+---+---+
| | | Starting Location | Ending Location | Relative | Number of |
|System|Boot|Side Cylinder Sector|Side Cylinder Sector| Sectors | Sectors |
+---+----+---+---+---+---+ |BIGDOS| Yes| 1 0 1 | 63 255 63 | 63 | 1032129 | |EXTEND| No | 0 256 1 | 63 522 63 | 1032192 | 1076544 | |unused| No | 0 0 0 | 0 0 0 | 0 | 0 | |unused| No | 0 0 0 | 0 0 0 | 0 | 0 | +---+----+---+---+---+---+
now left as an exercise to the reader (see exercises at the end of the chapter) to confirm from Figs. 5.26 and 5.27 the details for the second (EXTEND) entry in the partition table.