GUID Partition Table (GPT) a Forensic Perspective

GUID Partition Table (GPT) A Forensic Perspective

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014 GPT

Protective Partition Partition GPT Backup MBR Header Table Area

• Supports up to 128 partitions. • Five main areas: – Protective MBR • Starts in the first sector and contains one partition entry • Used for legacy purpose and not actual used – GPT Header • Defines the size and location of the partition table – Partition Table • Each entry contains starting and ending address, a type value, partition name, attribute flags and a GUID value.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• The protective MBR is mainly used by older computers that do not recognize GUID partitions. This way the system knows that the disk is in use and will not want to format. GPT

Protective Partition Partition GPT Backup MBR Header Table Area

– Partition Area • Sectors allocated for the partition information maintained by the partition table – Backup of GPT Header and Partition Table

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014 GPT Header

Byte Range Description Example 00 – 07 Signature EFI PART 12 – 15 Size of GPT Header (bytes) 0x5C = 92 24 – 31 LBA - Current GPT Header (sector) 0x01 = 01 32 – 39 LBA - Backup GPT Header (sector) 0x3FFFFF = 4,194,303 40 – 47 LBA – Start of Partition Area (sector) 0x22 = 34 48 – 55 LBA – End of Partition Area (sector) 0x3FFFDE = 4,194,270 56 – 71 Disk GUID 0x109B4B04D9E0174A 72 – 79 LBA – Start of Partition Table (sector) 0x02 = 2 80 – 83 Number of Entries in Partition Table 0x80 = 128 84 – 87 Size of Each Entry in Partition Table (bytes) 0x80 = 128

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014 GPT Partition Table

Byte Range Description Example 00 – 15 Partition Type GUID EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 16 – 31 Unique Partition GUID D8090C25EF71BE43A7F1B81DED6A1846 32 – 39 Starting LBA of Partition (sector) 0x010080 = 65,664 40 – 47 Ending LBA of Partition (sector) 0x3FF07F = 4,190,335 48 – 55 Partition Attributes N/A 56 – 127 Partition Name (Unicode) Basic data partition

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• Partition GUIDs are defined by Intel and Microsoft. • The GUID referenced in this slide refers to a primary partition (basic disk). • For complete list of GUID partition types: http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_table_header_.28LBA_1.29 First Partition – Sector 65,664

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014