Disk Partitions and Drive Lettering

Course list: http://www.c-jump.com/bcc/

Disk Partitions and Drive Lettering

Hard Drive Overview
Master Boot Record, the MBR
MBR Structure
DOS Partitions
MBR Partitions
MBR Format
MBR Example with Two Partitions
MBR and Partition Table Entries
Disk Layout Example
Boot Code
Extended Partitions
Six Partitions Example
Drive Letters
Assigning Drive Letters
Drive Letter Assignment Example
File Systems Recognized by DOS and Windows
Disk Operating System, DOS
Windows 9x/Me
UNIX
Linux
OS/2
Mac OS
Apple Partitioning System
Other Partition Types
GPT Partitions
GPT Partitions, cont.
GPT Partitions, cont.
What an Operating System Does
Partitions and Logical Drives Summary

1. Hard Drive Overview

Hard Drive =
- tracks 0, 1, 2, 3, ...
  - segments: sectors 1, 2, 3, ...
Cluster =
- smallest unit of storage on disk; contains 1 or more sectors
First Sector =
- Master Boot Record, the MBR.

2. Master Boot Record, the MBR

If hard drive is listed as the boot device, the BIOS looks for the MBR.
MBR maintains information about the physical hard drive structure:
- total number of sectors
- number of sectors per cluster
- etc.
MBR also contains
- Boot Program Code
- Partition Table

3. MBR Structure

Master Boot Record (MBR) is found on each physical disk on sector 1, contains:
1. Boot Code (Program)
2. Partition Table: can have up to 4 partitions (one extended)

Primary Partition(s) (up to 3)
- Active YES/NO
- Logical Drive (volume) C:
- Optional volumes D: and E:

Optional Extended Partition, aka Primary Extended Partition:
- Logical Drive D:
- Logical Drive E:...
- ...through Z: may be assigned.

Each Logical Drive (volume),
such as C:, contains^(*)
- OS Boot sector (program)
- FAT
- Root directory
- Files and Subdirectories
______________________
^(*) Logical drive is not part of the MBR.

4. DOS Partitions

Most commonly found partition type on Intel IA32 hardware (i.e., 16- and 32-bit i386/x86 architecture)
A lot of documentation but no standard reference...
- ...commonly called Master Boot Record (MBR) partition system
Intel IA64 hardware (i.e., 64-bit Itanium) uses Globally Unique Identifier (GUID) Partition Table (GPT) format

5. MBR Partitions

The MBR occupies the first 512 B sector
- Contents include boot code, partition table, and signature
Partition table can address up to four partitions
- Each table entry includes type of partition and location on the medium

6. MBR Format

^(*) See partition types document for list of PC partition codes.

7. MBR Example with Two Partitions

8. MBR and Partition Table Entries

9. Disk Layout Example

10. Boot Code

The boot code (located in bytes 0-445 of the MBR) processes the partition table and identifies which partition to boot from.
- First sector in active (bootable) partition is the boot sector, which has the next step of the boot information.
- Boot sector code is, therefore, operating system-specific.
Handling multiple operating systems
- Windows lets MBR execute and point to Windows bootable code, which lets users select OS
- Can also replace the MBR boot code to provide the user with a list of choices (e.g., LILO)

11. Extended Partitions

If more than four partitions are required, the fourth table entry points to a Primary Extended Partition (PEP)
- MBR points to three Primary File Systems plus the PEP
PEP points to a Secondary File System and a Secondary Extended Partition (SEP)
- SEP points to additional Secondary File System or Secondary File System/Extended Partition pair
Extended partitions essentially form a linked list to all of the needed file systems

12. Six Partitions Example

13. Drive Letters

Drive letters are unique to DOS and Windows
Drive letters will only be assigned to recognizable file systems
- Not all file systems are known to all OSes...
  - ...which provides a way to hide a partition on a disk...
Drives A: and B: are reserved for floppy disks
- Letters C: through Z: may be assigned.
Knowing this is particularly useful when configuring a DOS/Windows system. For example, a user workstation will probably have
- its own system hard drive,
  - another drive for user data, and
  - possibly more drives for data and backups.

14. Assigning Drive Letters

Letters are assigned in the following order:
1. First primary partition on the drive(s)
  - Preference given to the active partition, if there is one.
2. Logical drives in the Primary Extended Partition(s), if present, in the order of physical location on the drive.
3. Remaining primary partitions, in order found in MBR.
4. Peripheral devices, such as CD-ROM, DVD, and thumb drives.

15. Drive Letter Assignment Example

16. File Systems Recognized by DOS and Windows

17. Disk Operating System, DOS

The first OS used by IBM computers/compatibles
Where DOS can still be found:
- Specialized systems using older applications
- On troubleshooting floppy disks or CDs
- DOS is the OS of Windows 3.x:
  - Windows 3.x provided a graphical interface
  - Underlying OS functions were performed by DOS
- Windows 9x/Me uses DOS in the underlying OS
Windows XP/2000 run DOS emulation programs

18. Windows 9x/Me

Refers to Windows 95, Windows 98, Windows Me
Combine a DOS core with graphical user interface, GUI
Designed to bridge legacy and newer technologies
Backward-compatible with older systems
Cautionary note on minimum requirements -
- see Minimum and Recommended System Requirements for details.

19. UNIX

Comprises a class of operating systems
UNIX versions referred to as flavors or distributions
- FreeBSD
- NetBSD
- OpenBSD
- Sun Solaris
Chief uses:
- Controlling networks
- Supporting Internet-based applications

20. Linux

Variation on UNIX created by Linus Torvalds
OS kernel and source code are freely distributed
Popular distributions:
- SuSE www.novell.com/linux/suse
- RedHat www.redhat.com
- TurboLinux www.turbolinux.com
Used as both a server and a desktop
X Windows: GUI shells for UNIX and Linux

21. OS/2

Jointly developed by IBM and Microsoft
Chiefly used in certain types of networks
Part of OS/2 was incorporated into Windows NT
OS/2 is not covered in our course

22. Mac OS

First introduced in 1984 with Macintosh computers
Current version: Mac OS X (ten)
Mac OS X can work on Intel-based computers
Growing Markets: education, desktop publishing, graphics
Noteworthy features:
- Support for graphics and multimedia capabilities
- Use of the Finder program to provide the desktop
- Superior Plug and Play capabilities
- Excellent support for multitasking
Mac OS X desktop is intuitive and easy to use

23. Apple Partitioning System

Mac OS uses a single Partition Map in sector 0 to point to all partitions on drive
- Partition Map indicates its own size
Mac firmware processes the partition map, so that sector 0 does not contain boot code.

24. Other Partition Types

Different systems use even other partition types, including these common systems
- FreeBSD
- NetBSD
- OpenBSD
- Sun Solaris
- GPT: GUID Partition Table

25. GPT Partitions

Guid Partition Table (GPT)
The 64-bit Intel Itanium processors do not have a BIOS like 32-bit systems.
They have a Extensible Firmware Interface.
The EFI uses a partition system called the GUID partition Table that can support up to 128 Partitions and uses 64-bit LBA addresses.

26. GPT Partitions, cont.

A GPT disk has five major areas:
- First area is the Protective MBR:
  - starts in the first sector of the disk (sector-0)
  - contains one DOS partition
- Second part starts at sector-1 and contains the GPT header. The header defines the size and location of the partition table.
- Third section contains the partition table. Each entry contains a starting and ending address.
- Fourth section is the partition area:
  - it is the largest area
  - contains sectors allocated to the partitions (logical disk volumes.)

27. GPT Partitions, cont.

Fifth and final section of the disk contains a backup copy of the GPT header and partition table:
GPT partitions are not frequently encountered during investigations. Forensic analysis tools are catching up on fully supporting the GPTs.

28. What an Operating System Does

Four functions common to all operating systems:
1. Providing a user interface
2. Managing files
3. Managing applications
4. Managing hardware
All OSs have similar core components
Computer protection and security is based on core OS capabilities

29. Partitions and Logical Drives Summary

Hard drives are organized into partitions
Two types of partitions:
- Primary: can only have one logical drive; e.g., C:\
- Extended: can have one or more logical drives
Logical drive (sometimes called a volume):
- Formatted using a particular file system
- Has a root directory and subdirectories
Disk Management tools:
- create/view partitions
- format logical drives