If you can see this check that

Main Page


GPT

User:
Password:

Objectives

In this lab you will manually verify information related to GPT(GUID Partition Table) disk. GPT is a partitioning scheme that is part of the Unified Extensible Firmware Interface specification. It is the next generation partitioning scheme desiged to succeed the Master Boot Record paritioning scheme method. It evolved to deal with several shortcomings of the MBR and offers additional advantages.

To reset all the check buttons from a previous attempt click here

Question 1: Script Creation

Press this button to setup the environment

Tests - not attempted
Create Scripts UNTESTED

Using the mmls command analyse /images/diskimg3.dd. Extract the sector offset information for the partitions shown

Metadata SlotStart Sector OffsetEnd Sector OffsetFile Sytem Type/name
004
006
007
Tests - not attempted
004 Start and End Sector UNTESTED
004 File System Type UNTESTED
006 Start and End Sector UNTESTED
006 File System Type UNTESTED
007 Start and End Sector UNTESTED
007 File System Type UNTESTED

Question 2: Protective MBR

Protective MBR is the same as a normal MBR but the 64-byte area contains a single 0xEE type Primary partition entry defined over the entire size of the disk. This structure is designed to enable older tools/OS's that cannot read GPT disks to recognize the disk as containing one parition of unknown type with no empty space. The system will then typically refuse to modify the disk unless the user explicitly requests the changes.

In this question we will be using the dd and xxd commands to analyse the first block (LBA 0) of diskimg3.dd. Inspect the partition table of the Protective MBR and using the information fill in the table below. For hex values, format this as 0xaa or 0xaaaaaaaa, depending on the length.

OffsetLengthDescriptionLittle Endian Value (Hex)Decimal Value
0x1C2 1 Byte Partition Type N/A
0x1C6 4 Bytes Starting Sector
0x1CA 4 Bytes Length Of The Partition
Tests - not attempted
0x1C2 Partition Type Little Endian Value UNTESTED
0x1C6 Starting Sector Little Endian Value UNTESTED
0x1C6 Starting Sector Decimal Value UNTESTED
0x1CA Length Of Partition Little Endian Value UNTESTED
0x1CA Length Of Partition Decimal Value UNTESTED

Question 3: GPT Partition Table Header

The majority of the information regarding the structure of the GPT disk is contained within the Partition Header.

The primary version of the Partition Header is found in Sector LBA 1 and the backup copy can be found in the last sector of the disk (Last LBA)

The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table.

The EFI stipulates a minimum of 16,384 bytes has to be reserved for the partition table array. This means that there are 128 partition entries reserved, each 128 bytes long.

In this question we will be using the dd and xxd commands to the open the second block of the (LBA 1) of diskimg3.dd in order to complete the table below.

OffsetLengthDescriptionDecimal Value
0x00 8 Bytes Signature - provide answer in ASCII
0x18 8 Bytes Current GPT Header (LBA)
0x20 8 Bytes Backup GPT Header (LBA)
0x28 8 Bytes First Usable LBA For Partitions
0x30 8 Bytes Last Usable LBA For Partitions
0x48 8 Bytes Starting LBA Of The Partition Table
0x50 4 Bytes Number Of Partition Entries In The Table
0x54 4 Bytes Size Of The Partition Entries In The Table (Usually 128 Bytes)
Tests - not attempted
0x00 Signature - ASCII UNTESTED
0x18 Current GPT Header UNTESTED
0x20 Back GPT Header UNTESTED
0x28 First Usable LBA For Partitions UNTESTED
0x30 Last Usable LBA For Partitions UNTESTED
0x48 Starting LBA Of The Partition Table UNTESTED
0x50 Number Of Partition Entries In The Table UNTESTED
0x54 Size Of The Partition Entries UNTESTED

Question 4: GPT Partition Table

After the GPT Partition Table Header, the Partition Entry Array describes partition using a 128 byte block per entry at a minimum.

The first 16 bytes designate the partition type globally unique identifier (GUID). The second 16 bytes contain a unique GUID for the partition. After this we can find the starting and ending 64-bit LBAs, partition attributes and names.

As is the nature and purpose of GUIDs, no central registry is needed to ensure the uniqueness of the GUID partition type designators. The location of the parition entries array is defined in the GPT header.

Decoding GUID entries

The GUID value is 16 bytes in length and is represented as 5 different hex numbers seperated by dashes (-). An example being:

C12A7328-F81F-11D2-BA4B-00A0C93EC93B

However this is stored on a disk in slightly strange manner. When written to disk the first three numbers are stored as little endian and the final two are stored as big endian. Based on the example from partition table (LBA 2 - diskimg3.dd, offset 0x0000, length 16 bytes), lets decode the GUID value for "Partition type GUID". The first three numbers have to be converted from little endian to big endian. And the last two numbers stay unchanged.

 
Little endian value is as follow: 
 
a2a0 d0eb e5b9 3344 87c0 68b6 b726 99c7 

	    little endian  big endian  
1st number  a2a0d0eb       ebd0a0a2  
2nd number  e5b9           b9e5  
3rd number  3344           4433  
4th number  87c0   	   87c0          - no change  
5th number  68b6b72699c7   68b6b72699c7  - no change 
The decoded GUID value is --> ebd0a0a2-b9e5-4433-87c0-68b6b72699c7. In the last section you have recorded the starting LBA of the partition table. Navigate to this sector and look at the content and provide information for each partition entry.

Partition 1

Offset (Hex)LengthDescriptionPartition 1
0x00 16 Bytes Partition Type GUID
0x10 16 Bytes Unique Partition GUID
0x20 8 Bytes First LBA Of Partition
0x28 8 Bytes Last LBA Of Partition
0x30 8 Bytes Attribute Flags (Partition Type)
0x38 72 Bytes Partition Name (UTF-16)
Tests - not attempted
Partition Type GUID UNTESTED
Unique Partition GUID UNTESTED
First LBA Of Partition UNTESTED
Last LBA Of Partition UNTESTED
Attribute Flags UNTESTED
Partition Name UNTESTED

Partition 2

Offset (Hex)LengthDescriptionPartition 1
0x00 16 Bytes Partition Type GUID
0x10 16 Bytes Unique Partition GUID
0x20 8 Bytes First LBA Of Partition
0x28 8 Bytes Last LBA Of Partition
0x30 8 Bytes Attribute Flags (Partition Type)
0x38 72 Bytes Partition Name (UTF-16)
Tests - not attempted
Partition Type GUID UNTESTED
Unique Partition GUID UNTESTED
First LBA Of Partition UNTESTED
Last LBA Of Partition UNTESTED
Attribute Flags UNTESTED
Partition Name UNTESTED

Partition 3

Offset (Hex)LengthDescriptionPartition 1
0x00 16 Bytes Partition Type GUID
0x10 16 Bytes Unique Partition GUID
0x20 8 Bytes First LBA Of Partition
0x28 8 Bytes Last LBA Of Partition
0x30 8 Bytes Attribute Flags (Partition Type)
0x38 72 Bytes Partition Name (UTF-16)
Tests - not attempted
Partition Type GUID UNTESTED
Unique Partition GUID UNTESTED
First LBA Of Partition UNTESTED
Last LBA Of Partition UNTESTED
Attribute Flags UNTESTED
Partition Name UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2024 Edinburgh Napier University