Reverse engineering

What's at 1st sector/MBR of hard disk(MBR Forensics)

MBR have lots of details about the hard disk or other storage disk which can be used for forensics purposes. In this article we will analyze the MBR's 512 bytes of data and try to interpret it.

What's at 1st sector/MBR of hard disk(MBR Forensics)

1st sector(Sector 0) of your hard disk is called MBR(Master boot record). Once you power on your system, the first code that run is from your BIOS(Basic Input Output System). Then the execution jumps to your MBR sector which get loaded in memory by your BIOS. Code at MBR parse and validate your partitions and jump  the control to your Bootloader code. Your bootloader can be located at the same starting sectors of hard drive or at some Partition volume(called as Volume bootloader).Bootloader do its own stuff and transfer control to kernel or init manager but we here only care about the stuff that present and happens in MBR.

Where is my MBR?

MBR is the first sector of your hard disk which is present as a file in /dev/ in case of linux or macOS and object in case of Windows. A sector size can be either 512 bytes(most common) or  4KB(rare).

Lets try view the  raw data of your MBR in linux. Usually /dev/sda is the hard disk in linux but you may want to inspect sdb, sdc in case you are interested in MBR of some other disk like usb drive.

Raw MBR output through xxd

We have used xxd utility to view hex dump of /dev/sda in which first 0x1ff(512) bytes are our MBR data.

You can view the same data in Windows using HXD hex editor. Below is the screenshot of that.

MBR of disk on HXD

How to interpret MBR data?

Lets try to understand what information this 512 bytes of data contain.

MBR structure

The interpretation is given below:

0x0 -0x1B7 ->MBR code area (440 bytes)
0x1B8-0x1BB ->32-bit disk signature (optional 4 bytes)
0x1BC-0X1BD -> 0x0000 or 0x5A5A (2 bytes)
0x1BE-0x1FD -> Partition entries (64 bytes)
0x1FE-0x1FF -> MBR signature 0X55AA (2 bytes)

MBR code area - The code resides in MBR is limited in size hence doesn't do much. It generally have a EB byte in the starting which corresponds to the jmp instruction. Further its work is to parse the partition entries and find if they are valid. Then it look for the partition with BOOT flag on and jump to the bootloader code. The code of MBR varies with different bootloaders. There are alternative boot code implementations, some of which are installed by boot managers,  which operate in a variety of ways. Some MBR code loads additional code  for a boot manager from the first track of the disk, which it assumes  to be "free" space that is not allocated to any disk partition, and  executes it. A MBR program may interact with the user to determine which  partition on which drive should boot, and may transfer control to the  MBR of a different drive. Other MBR code contains a list of disk  locations (often corresponding to the contents of files in a filesystem)  of the remainder of the boot manager code to load and to execute. (The  first relies on behavior that is not universal across all disk  partitioning utilities, most notably those that read and write GPTs.

32-bit disk signature - This is a signature to uniquely identify a hard disk. Your BIOS match this code to identify if the MBR code is for correct hard disk or not. It can be used if you have multiple disk attached to your system.

MBR signature - Every MBR has bytes 0x55AA at the end of the sector which identify that the sector is a MBR not some other data.

Partition Entries - There are four partition entry of each 16 bytes at the end of MBR before MBR signature.

Lets break down these 16 bytes entry of a partition into meaningful data.

All data in partition entries is in little endian format.

0x0 - Bootable flag (0x80 - bootable | 0x00 - non-bootable | 0x01-0x07 - Invalid)
0x01-0x03 - CHS address of the starting of partition in hard disk
0x04 - Partition type
0x05-0x07 - CHS address of the end of partition in hard disk
0x08-0x0B - LBA of first sector in the partition
0x0C-0x0F - Number of sectors in partition

Bootable flag is the first byte which either can be 0x80 or 0x00 if the partition is valid. Mostly a partition byte set to 0x80 when that partition contain bootloader code.

CHS address(Cylinder-head-sector) is the old addressing method used for giving addresses to each physical block of data on a hard disk drive. It is not  used by current program because of maximum supported size limitation. It is there for backward compatibility purpose only hence we not need to care much about this. You can read more about this here.

Partition type/ID or Filesystem type/ID describe what type of filesystem the partition have. You can see the complete list of IDs here.

LBA(Logical block addressing) is much recent scheme used to locate blocks of data. You can calculate bytes from LBA by multiplying it with sectors.

Starting Bytes = LBA * 512

Number of sector can be used to calculate the size of partition.

size = No of Sector *512

End Bytes = Starting Bytes + size

So, this is all the details MBR have that used by your OS and other disk management tools. This partition scheme clearly show limitation of only availability of 4 partition. That's the reason we have something called as extended partition scheme. Recent OS also introduce GPT partition scheme which overcome this limitation of storing partition entry on MBR and making possible to have large numbers of partition possible.

You can use our MBR forensics tool to analyze your MBR data: Download here

0 Comments 0 Comments
0 Comments 0 Comments