COEN 152/252 Computer Forensics Apple Partitions
Apple Partition Map Applies to MAC OS X, MAC OS 9 iPod players Switching to GUID Partition Table (GPT) To support disk bigger than 2TB
Apple Partition Map
Block 0: Driver Descriptor Record TYPE Block0 = PACKED RECORD sbSig: Integer; {device signature} sbBlkSize: Integer; {block size of the device} sbBlkCount: LongInt; {number of blocks on the device} sbDevType: Integer; {reserved} sbDevId: Integer; {reserved} sbData: LongInt; {reserved} sbDrvrCount: Integer; {number of driver descriptor entries} ddBlock: LongInt; {first driver's starting block} ddSize: Integer; {size of the driver, in 512-byte blocks} ddType: Integer; {operating system type (MacOS = 1)} ddPad: ARRAY [0..242] OF Integer; {additional drivers, if any} END;
Apple Partition Map Driver Descriptor Record identifies the device drivers installed on a disk Start manager reads the driver descriptor record during system start-up Uses info to locate and load the appropriate device driver Start manager selects the appropriate driver based on the user input
Apple Partition Map Partition map describes all partitions on a block device. Allows a single device to support multiple OS. All blocks (with the exception of block 0) belong to a partition Number of entries in a partition table is not limited. However, partition table needs to start in block 1 and be contiguous.
Apple Partition Map TYPE Partition = RECORD pmSig: Integer; {partition signature} pmSigPad: Integer; {reserved} pmMapBlkCnt: LongInt; {number of blocks in partition map} pmPyPartStart: LongInt; {first physical block of partition} pmPartBlkCnt: LongInt; {number of blocks in partition} pmPartName: PACKED ARRAY [0..31] OF Char; {partition name} pmParType: PACKED ARRAY [0..31] OF Char; {partition type} pmLgDataStart: LongInt; {first logical block of data area} pmDataCnt: LongInt; {number of blocks in data area} pmPartStatus: LongInt; {partition status information} pmLgBootStart: LongInt; {first logical block of boot code} pmBootSize: LongInt; {size of boot code, in bytes} pmBootAddr: LongInt; {boot code load address} pmBootAddr2: LongInt; {reserved} pmBootEntry: LongInt; {boot code entry point} pmBootEntry2: LongInt; {reserved} pmBootCksum: LongInt; {boot code checksum} pmProcessor: PACKED ARRAY [0..15] OF Char; {processor type} pmPad: ARRAY [0..187] OF Integer; {reserved} END;
GUID Partition Table Defined by a formal standard: Section “Extensible Firmware Interface Specification “GUID Partition Table (GPT) Format” of the “Unified Extensible Firmware Interface Specification, version 2.0 Unified EFI Forum
GPT Overview BlockDescription 0Protective MBR 1Partition Table Header (primary) 2 thru 2 + b – 1Partition Entry Array (primary) 2+b thru n-2-bPartition Data n-2-b+1 thru n-2Partition Entry Array (backup) N-1Partition Table Header
GPT Overview Protective MBR Defines a single partition entry of type 0xEE Covers entire area of disk Designed to prevent legacy programs from accidentally modifying a GPT disk
GPT Overview Partition Table Header Defines various aspects of a disk: GUID to uniquely identify disk starting block of partition entry array size of each partition entry
GPT Overview Partition Entry Array Defines a partition or is all zero when entry is not used. Stored in a contiguous array on disk
GPT Overview Partition Entry Contains GUID to identify partition GUID for partition type start block end block partition name (Notice: GPT is little-endian)
GPT Overview