140 likes | 154 Vues
This article provides an overview of Apple Partition Map and GUID Partition Table, including their structures, purposes, and how they allow for the management of multiple partitions on Apple devices. It also discusses the benefits of switching to GUID Partition Table and highlights the importance of understanding and managing partitions for supporting larger disk sizes.
E N D
COEN 152/252 Computer Forensics Apple Partitions
Apple Partition Map • Applies to MAC OS X, MAC OS 9 • iPod players • Switching to GUID Partition Table (GPT) • To support disk bigger than 2TB
Apple Partition Map • Block 0: Driver Descriptor Record TYPE Block0 = PACKED RECORD sbSig: Integer; {device signature} sbBlkSize: Integer; {block size of the device} sbBlkCount: LongInt; {number of blocks on the device} sbDevType: Integer; {reserved} sbDevId: Integer; {reserved} sbData: LongInt; {reserved} sbDrvrCount: Integer; {number of driver descriptor entries} ddBlock: LongInt; {first driver's starting block} ddSize: Integer; {size of the driver, in 512-byte blocks} ddType: Integer; {operating system type (MacOS = 1)} ddPad: ARRAY [0..242] OF Integer; {additional drivers, if any} END;
Apple Partition Map • Driver Descriptor Record • identifies the device drivers installed on a disk • Start manager reads the driver descriptor record during system start-up • Uses info to locate and load the appropriate device driver • Start manager selects the appropriate driver based on the user input
Apple Partition Map • Partition map describes all partitions on a block device. • Allows a single device to support multiple OS. • All blocks (with the exception of block 0) belong to a partition • Number of entries in a partition table is not limited. • However, partition table needs to start in block 1 and be contiguous.
Apple Partition Map TYPE Partition = RECORD pmSig: Integer; {partition signature} pmSigPad: Integer; {reserved} pmMapBlkCnt: LongInt; {number of blocks in partition map} pmPyPartStart: LongInt; {first physical block of partition} pmPartBlkCnt: LongInt; {number of blocks in partition} pmPartName: PACKED ARRAY [0..31] OF Char; {partition name} pmParType: PACKED ARRAY [0..31] OF Char; {partition type} pmLgDataStart: LongInt; {first logical block of data area} pmDataCnt: LongInt; {number of blocks in data area} pmPartStatus: LongInt; {partition status information} pmLgBootStart: LongInt; {first logical block of boot code} pmBootSize: LongInt; {size of boot code, in bytes} pmBootAddr: LongInt; {boot code load address} pmBootAddr2: LongInt; {reserved} pmBootEntry: LongInt; {boot code entry point} pmBootEntry2: LongInt; {reserved} pmBootCksum: LongInt; {boot code checksum} pmProcessor: PACKED ARRAY [0..15] OF Char; {processor type} pmPad: ARRAY [0..187] OF Integer; {reserved} END;
GUID Partition Table • Defined by a formal standard: • Section 11.2.2 “Extensible Firmware Interface Specification • “GUID Partition Table (GPT) Format” of the “Unified Extensible Firmware Interface Specification, version 2.0 • Unified EFI Forum
GPT Overview • Protective MBR • Defines a single partition entry of type 0xEE • Covers entire area of disk • Designed to prevent legacy programs from accidentally modifying a GPT disk
GPT Overview • Partition Table Header • Defines various aspects of a disk: • GUID to uniquely identify disk • starting block of partition entry array • size of each partition entry
GPT Overview • Partition Entry Array • Defines a partition or is all zero when entry is not used. • Stored in a contiguous array on disk
GPT Overview • Partition Entry • Contains GUID to identify partition • GUID for partition type • start block • end block • partition name (Notice: GPT is little-endian)