Thursday, September 5, 2013

Determining Windows Volume Letters on GUID Partition Table (GPT) partitioned Devices

When reporting data to a customer, whether that be a corporate customer, a law enforcement officer, or an attorney, I try to keep my geekiness in check.  One way of doing so is by reporting the location of data in a way that the customer is familiar.  I figure that if my children and my parents understand how to get to a file if I provide a full path, anyone can do it.

One popular forensic tool arbitrarily names partitions in the order they are encountered on a device, beginning with the Volume Letter C.  Sometimes it is right; sometimes it is wrong.  Determining these drive letters has been the same throughout my career -- Review the keys beginning with DosDevices under the \MountedDevices key within the SYSTEM Registry file and take the first four (4) bytes of the value as the disk signature and the last eight (8) as the bytes to the beginning of the partition.

Several Microsoft Windows operating systems are now able to boot to disks which have been partitioned using the GUID Partition Table (GPT) scheme.  According to Microsoft's DevCenter article: Using GPT Drives, the x64-based operating systems Windows Server 2003 SP1, Server 2008, Windows Vista, and Windows 8 can boot to devices which use GPT while older operating systems such as x64-based Windows XP and x32-based Windows Server 203 SP1 could use GPT devices for storage.

With more operating systems supporting GPT, the laboratory naturally is starting to see more pieces of evidence partitioned in this way.  A colleague recently received a Windows 8 based system for analysis, went to verify drive letter assignments and was surprised to see Figure 1.

Figure 1. \MountedDevices\DosDevices\C: within the SYSTEM Registry File

A quick review of Sector 1 of the device located the header for the Unified Extensible Firmware Interface (UEFI) boot firmware, 0x 45 46 49 20 50 41 52 54, or EFI PART in ASCII.  This is expected since a Windows system can not boot from a GPT partitioned device without the UEFI.  The EFI header can be seen in Figure 2.

Figure 2. UEFI Header: Sector 1, Offset 0, Length 8 bytes


The specification related to UEFI and GPT can be obtained from the Unified EFI Forum.  Of particular interest is the fact that the Disk Signature in the Protected Master Boot Record (MBR) located at Sector 0 at offset 440 for four (4) bytes is still generated by the operating system and that the entire disk also gets a GUID which is available in Sector 1 at offset 56 for 16 bytes.  While neither disk identifier was used during the current examination, their presence likely has some value that I will explore at another time (Feel free to add your experience with these identifiers in the comments!).  I unfortunately did not get a screen shot showing the MBR and the Disk Signature it contained.  The EFI header is shown again in Figure 3, this time with several bytes highlighted with different color boxes.

Figure 3. UEFI Header Identifying Disk GUID and General Information Relate to Partition Entries

The GREEN text, 16 bytes starting at offset 56 of Sector 1, contains the disk GUID: 0x14 4E CA B9 C1 7F 0F 43 A5 61 3D FF FD F2 B6 26.

The RED text, eight (8) bytes starting at offset 72 of Sector 1, contains the starting Logical Block Address (LBA) of the array containing the partition entries: 2 (Little Endian).

The ORANGE text, four (4) bytes starting at offset 80 of Sector 1, contains the number of partition entries within the array: 128 (Little Endian).

The YELLOW text, four (4) bytes starting at offset 84 of Sector 1, contains the number of bytes that make up a partition entry within the array: 128 bytes (Little Endian).

A little math can show us how many sectors the partition entries take up:

        ((number of entries) * (bytes per entry)) / (bytes per sector), 128*128/512 = 32.  

Therefore, the partition entries take up Sectors 2 through 33.  So, remember that 16 byte GUID associated with our volume?  If all goes well, we should see it within these 32 sectors.  Now before getting flustered over the 16 byte GUID being somewhere within 32 sectors, I do not anticipate seeing GPT devices which use all 128 entries any time soon.  Note that unused entries will contain 0x00.  Figure 4 shows the last used entries of the partition array as note by the 0x00 at the bottom of the data.  It also shows, highlighted in blue, the GUID noted as being associated with the C volume in our example.

Figure 4. Excerpt of Partition Array

The eight (8) bytes, boxed in GREEN, which immediately follow the 16 byte GUID of interest shown in Figure 4 provide the starting sector of the partition.  Converting the data into Little Endian decimal indicates that the volume using drive letter C starts at sector 1615872.

A quick review of the starting sectors of the partitions identified the 3rd partition, shown in Figure 5, as being the one mounted with drive letter C.

Figure 5. Excerpt of Forensic Tool Report Listing Starting Sector of Volume 3

Granted there was enough data that I could make an educated guess that this was the C volume, but again I try to rein in that inner geek when talking to the customers.  So rather than geeking out over why I believe this to be the C volume, I can definitively state, this IS the C volume.

As time permits, and assuming I do not get sidetracked, I plan to script the process to automatically make these correlations.  I would also like to further explore the use of the Disk Signature and the Disk GUID.

No comments:

Post a Comment