COEN 152252 Computer Forensics Apple Partitions Apple Partition

COEN 152/252 Computer Forensics Apple Partitions

Apple Partition Map Applies to MAC OS X, MAC OS 9 n i. Pod players n Switching to GUID Partition Table (GPT) n ¨ To support disk bigger than 2 TB

Apple Partition Map

Apple Partition Map n Block 0: Driver Descriptor Record TYPE Block 0 = PACKED RECORD sb. Sig: Integer; {device signature} sb. Blk. Size: Integer; {block size of the device} sb. Blk. Count: Long. Int; {number of blocks on the device} sb. Dev. Type: Integer; {reserved} sb. Dev. Id: Integer; {reserved} sb. Data: Long. Int; {reserved} sb. Drvr. Count: Integer; {number of driver descriptor entries} dd. Block: Long. Int; {first driver's starting block} dd. Size: Integer; {size of the driver, in 512 -byte blocks} dd. Type: Integer; {operating system type (Mac. OS = 1)} dd. Pad: ARRAY [0. . 242] OF Integer; {additional drivers, if any} END;

Apple Partition Map n Driver Descriptor Record ¨ identifies the device drivers installed on a disk ¨ Start manager reads the driver descriptor record during system start-up n Uses info to locate and load the appropriate device driver ¨ Start manager selects the appropriate driver based on the user input

Apple Partition Map n n n Partition map describes all partitions on a block device. Allows a single device to support multiple OS. All blocks (with the exception of block 0) belong to a partition Number of entries in a partition table is not limited. However, partition table needs to start in block 1 and be contiguous.

Apple Partition Map TYPE Partition = RECORD pm. Sig: Integer; {partition signature} pm. Sig. Pad: Integer; {reserved} pm. Map. Blk. Cnt: Long. Int; {number of blocks in partition map} pm. Py. Part. Start: Long. Int; {first physical block of partition} pm. Part. Blk. Cnt: Long. Int; {number of blocks in partition} pm. Part. Name: PACKED ARRAY [0. . 31] OF Char; {partition name} pm. Par. Type: PACKED ARRAY [0. . 31] OF Char; {partition type} pm. Lg. Data. Start: Long. Int; {first logical block of data area} pm. Data. Cnt: Long. Int; {number of blocks in data area} pm. Part. Status: Long. Int; {partition status information} pm. Lg. Boot. Start: Long. Int; {first logical block of boot code} pm. Boot. Size: Long. Int; {size of boot code, in bytes} pm. Boot. Addr: Long. Int; {boot code load address} pm. Boot. Addr 2: Long. Int; {reserved} pm. Boot. Entry: Long. Int; {boot code entry point} pm. Boot. Entry 2: Long. Int; {reserved} pm. Boot. Cksum: Long. Int; {boot code checksum} pm. Processor: PACKED ARRAY [0. . 15] OF Char; {processor type} pm. Pad: ARRAY [0. . 187] OF Integer; {reserved} END;

GUID Partition Table n Defined by a formal standard: ¨ Section 11. 2. 2 “Extensible Firmware Interface Specification ¨ “GUID Partition Table (GPT) Format” of the “Unified Extensible Firmware Interface Specification, version 2. 0 n Unified EFI Forum

GPT Overview Block Description 0 Protective MBR 1 Partition Table Header (primary) 2 thru 2 + b – 1 Partition Entry Array (primary) 2+b thru n-2 -b Partition Data n-2 -b+1 thru n-2 Partition Entry Array (backup) N-1 Partition Table Header

GPT Overview n Protective MBR ¨ Defines a single partition entry of type 0 x. EE ¨ Covers entire area of disk ¨ Designed to prevent legacy programs from accidentally modifying a GPT disk

GPT Overview n Partition Table Header ¨ Defines various aspects of a disk: GUID to uniquely identify disk n starting block of partition entry array n size of each partition entry n

GPT Overview n Partition Entry Array ¨ Defines a partition or is all zero when entry is not used. ¨ Stored in a contiguous array on disk

GPT Overview n Partition Entry ¨ Contains GUID to identify partition ¨ GUID for partition type ¨ start block ¨ end block ¨ partition name (Notice: GPT is little-endian)

GPT Overview