Tuesday, October 18, 2011

Examining Partition Tables

Now I would not call partition tables sexy by any means of the imagination (however the MBR can be involved in malware), but one of the things I learned is: the best way to learn something is to do it. This goes for pretty much anything. So anyways I was watching a video on SecurityTube and the gentleman was delving into partition tables and I decided to take a look at my own hard drive and see it all for myself.

First off, I downloaded a hex editor (my poor netbook is choking on programs now, its almost time for a refresh). I used WinHex, because its free and I got fed up with CNET giving me a bad download.

Anywhoo... I started small first, use a thumb drive! So I booted up WinHex and navigated to Tools>Open Disk and chose my little 2GB thumb drive.

So our partition table starts at the 446 byte within our 512 bytes MBR. In hex that is 0x01BE. No I didn't just know that I used the handy dandy calculator to figure that out, hex conversions can be covered elsewhere. Each partition is allotted 16 bytes, so I highlight the first 16 below:



Ok, let me give the breakdown along with my example:
  • Byte 0 : Flag for if the drive is bootable. 0x80 means bootable while 0x00 means its not. My drive is not bootable
  • Bytes 1-3 : Starting CHS (Cylinder Head Sector) address. We don't really use this anymore thanks to Logical Block Addressing, but still good to know. The first hex value is for head, which is my case is 0x00 (so, mine starts at 0). The second hex is actually broken down, with the first 6 bytes reserved for the sectors and the last two for the cylinder number. Mine is easy with the second hex value at 0x01, so my starting sector for my partition is 1. Finally the 3rd hex value is for cylinder, which is also 0x01.
  • Byte 4: Partition Type.  This shows the partition format type. You can find an extensive list here.Looking up my value 0x0b reveals I have a FAT32 partition type. 
  • Bytes 5-7: Ending CHS Address: This is broken down the same way as the starting address. We still have an ending head of 0, however our sectors and cylinders have changed a bit and now we have to break our hex down into binaray. I will not bore you with how to do that but here are the results:
    • 0x41 : 10000010
    • 0xF:    11011111
Now remember we gotta save the first two bits of 0x41 for the cylinder. So that leaves sad binary  10, which in decimal is 2. My ending sector is 2. My ending cylinder is 1011011111, which in decimal is 735.
I am not going to claim I did the CHS sector right, if I am wrong and someone can explain to me my error I would be happy. Like I said we have mostly switched to LBA since our drives have been getting bigger and bigger....
  • Bytes 8-11: Logical Block Address (ending) 
  • Bytes 12-15: Size in Sectors (little endian). So our last 4 hex values are as follows: 80 F0 3A 00. What does little endian means? Basically it means the littlest byte (in this case 00) heads to the front. Who was it that said "The first shall become last?"
Anyways, so after doing that we have the new value: 00 3A F0 80. What is that in decimal? Handy calculator says its: 3862656. Thats how many sectors we have, but for petes sake what does that mean? Well! Do you remember how many bytes I said were in a sector? 512! So just multiply the two numbers together and....

1977679872 B
That is an awfully large number, and who really reads in bytes anyways? So you could use a handy dandy online bit calculator to figure it out or if you know how many bytes (roughly) in a GB (answer: roughly a billion and move that decimal over you get...

1.97 GB

That seems a bit more like it... and just to check:


Whoo hoo! It says on the drive itself 2GB, we are pretty close! So even if the CHS is a bit FUBAR you can use the last 4 bytes to determine the size (which seems much easier)

Another quick one:

  • This one is bootable, as the first hex value is 0x08
  • PartitionType is FAT32, LBA mapped (hex value 0x0C)
  • Size is 4 GB (thanks to the last 4 bytes) 
  How about an actual hard drive? Well mine is 150 GB, so lets see what is going on:

Whoa, my poor netbook! I leave this to you guys as a 'challenge', sorry I am not rich enough to give prizes, but maybe your name will be posted on the blog! whoo-hoo!

Questions to be answered:
  1. How many partitions are there?
  2. For each partition, what is its type?
  3. For each parition, what is its size?
  4. Does this equal 150GB? (give or take)
  5. BONUS:
Now to throw a 'monkey' in the mix: This is what I see when I look in Windows Explorer:

OS_Install is ~40GB, so adding the two drives does not equal 150G. What do you think a reason could be for this?

Email your answers to: icanhazblog[at]gmail[dot]com

Thanks!
--------------------------------------------------------------------------
More Fun Links
Posted by at Tuesday, October 18, 2011
Labels: , , ,

2 comments:

Jonathan Rajewski said...

Submitted a result!

6:16 PM
Girl, Unallocated said...

I normally wouldn't disagree with you on anything... but I DO think partition tables are sexy. :)

7:49 PM

Post a Comment

Subscribe to: Post Comments (Atom)