BSD Partitions COEN 152252 Computer Forensics BSD Partitions

BSD Partitions COEN 152/252 Computer Forensics

BSD Partitions n Some BSD systems use IA 32 hardware ¨ Designed to co-exists with MS partitions. ¨ Use DOS partition table ¨ BSD partitions reside within a volume created by a DOS partition

BSD Partitions n Two DOS Partitions ¨ One NTSF ¨ One volume containing n 4 BSD partitions

BSD Partitions Free. BSD gives users access to all DOS partitions on hard drive. n Calls DOS Partition a slice. n Calls Free. BSD partition a partition n

BSD Partitions n Central data structure: ¨ DISK Label 276 Bytes n Hardware specification of the disk n Partition table with eight or sixteen BSD partitions n

BSD Partitions n BSD partition table ¨ Starting sector of BSD partition (relative to disk, not volume) ¨ Size of BSD partition ¨ Partition type ¨ Size of UFS file system fragments ¨ Number of UFS file system fragments per block ¨ Number of cylinders per UFS cylinder group.

BSD Partitions n Partition types: ¨ swap ¨ UFS ¨ FAT ¨ unused

BSD Partitions n Free BSD partition with device names added

BSD Partitions n Free. BSD assigns a special device file to each partition and slice. ¨ ‘a’ partition typically root ¨ ‘b’ partition typically swap ¨ ‘c’ partition usually the entire slice n Free. BSD allows access to all BSD partitions and all slices. ¨ Investigation needs to cover the whole physical disk

BSD Partitions n Open. BSD, Net. BSD: ¨ user only has access to partitions with entries in the BSD disk label structure ¨ Unlike Free. BSD, disk label can describe partitions outside of the BSD volume ¨ Once Open. BSD / Net. BSD loads: n DOS partitions are ignored

BSD Partitions n Volume layout: ¨ Sector n 0: boot-code executed when the boot code in the MBR finds the bootable BSD-type partition ¨ Sector 1: Disk label structure ¨ Sector 2: Continuation of boot-code

BSD Partitions n BSD disk label data structure: Brian Carrier: File System Forensics Analysis