Analyzing The Master Boot Record (MBR)

 

Typical storage media are organized using a defined partition scheme. Common partition schemes include: DOS/MBR(original PC partition scheme); GUID Partition Table (GPT); BSD; Sun (vtoc); Apple Partition Map (APM). Although DOS-style partitions were commonly used but GPT partitions have become increasingly popular and are also widely used in the latest operating systems, such as Windows Server 2003 with SP1 and later. From a digital forensics perspective, we want to identify the partition scheme, analyze the partition tables, and look for possible inter-partition gaps. The analysis of DOS and GPT partition tables is independent of the installed operating system. We will discuss DOS-style partitions with a focus here on the artifacts that are specific to the Windows operating system.

The Master Boot Record (MBR)

A disk that is organized using DOS partitions has a Master Boot Record (MBR) located in the first 512-byte sector, Sector 0 (LBA 0) or Cylinder 0, Head 0, Sector 1 (using CHS Addressing). The location of the MBR is at the start of the hard disk. The MBR itself consists of one sector—absolute sector zero. This first sector includes the boot code, disk signature, and primary partition definitions known as the partition table and ends with a signature (a two-byte code represented in hexadecimal as 0x55AA). Additional sectors in the boot record are not typically accessible by the user without tools that have raw access to the drive, such as a hexadecimal editor. Earlier installations required the first partition to be created on a track boundary (sector 63), while newer implementations remove this requirement, and the first volume can be anywhere the MBR defines it (typically, at sector 2048 or 4096). An MBR-formatted disk can contain up to four partitions in the boot record—all of which can be primary, and only one of which can be an extended partition. A primary partition can contain one and only one volume, and only one of these volumes can be bootable (an extended partition cannot be natively bootable).

After executing the POST (Power-On Self Test), the BIOS reads the sector at cylinder 0, head 0, sector 1 (boot sector) via an INT 19h system call, which in turn calls INT 13h to access a disk drive. It loads a 512-byte sector from the disk at CHS address (0,0,1) into memory starting at physical address 0x7c00. This is usually 0x0000:0x7c00 (CS = 0, offset address 0x7c00). However, some BIOSes load to 0x7c0:0x0000 (CS = 0x07c0, offset address 0)—which resolves to the same physical address but can cause problems. Once the sector has been written into memory, the BIOS branches to the first byte at offset 00h of the sector in memory, and the processor starts to execute the values it finds there as program code. The BIOS passes very little useful information directly to the MBR. In fact, the only important number is the value in DL—the "drive number." It needs to be passed to all later calls to BIOS function INT 13h, so that byte in DL probably needs to be saved carefully. The values in all the other registers, and in most of memory, are undefined. The BIOS will only boot an MBR from a device if that device is in the "boot sequence" stored in CMOS and if the MBR on the device is formatted correctly. 

The first few bytes at the beginning of the sector will cause a jump to the start address of the partition analysis program. This is the master boot code. This program looks at the partition table, also contained within the sector that has just been loaded, and determines which (if any) is the current active (or bootable) partition on the hard disk. If an active partition is found, it continues to look at the remaining entries to make sure that there is only one active entry; otherwise, it displays the message “Invalid Partition Table.” If none of the entries is found active or bootable, an error message “Missing operating system” appears. If there is only one active entry, it uses an INT 13h call to fetch the boot sector that is specified by the CHS start address of that entry, and it overwrites the memory area from 0000:7C00 (07C00) with this new sector. It then jumps to the first address at offset 00h of the sector, keeping a pointer to the active partition table entry.

A hex dump of a master boot record, which will form the basis of understanding in this post, is shown in the figure below.

The Master Boot Code

A significant part of the MBR is the boot code. In a standard boot sector, the size of the bootstrap code area is 446 bytes, with the bytes ranging from 0x000 to 0x1BD, as shown in the figure above. A Master Boot Record (MBR) is loaded by the BIOS at physical address 0x7c00, with the DL register set to the "drive number" that the MBR was loaded from. The BIOS then jumps to the very beginning of the loaded MBR (0x7c00), because that part of the MBR contains the "bootstrap" executable code. The master boot code typically performs the following activities.

• Relocates itself away from the 0x7c00 physical address (using a memory copy and usually a far jump).
• Determines which partition (or hard disk) to boot from (either by scanning for the active partition or by presenting the user with a selection of installed operating systems to choose from).
• Use BIOS INT 13h commands to rewrite the MBR if the partition table entries were modified.
• Use BIOS INT 13h commands to load the Volume Boot Record (VBR, the "boot sector" of the bootloader) from the beginning of the selected partition to physical address 0x7c00.
• Set DS:SI pointing to the selected partition table entry.
•  Jump to 0x7c00 (with CS set to 0 and DL set to the "drive number").

If the master boot code cannot complete these functions, the system displays one of the following error messages, as the case may be.

• Invalid partition table—The MBR partition table is corrupted, contains invalid entries, or has overlapping partitions.
• Error loading operating system—The master boot code was able to locate the active partition, but could not load the partition's boot sector code. This can be caused by corruption of the active partition's Volume Boot Record (VBR), incorrect or unsupported disk geometry reported by the BIOS, or an incomplete OS installation.
• Missing operating system—The master boot code ran but could not find a valid boot sector to hand over control. This can be caused by any of the following: No active partition is marked in the partition table; the active partition's boot sector is missing or corrupted; the disk has no bootable partitions.

Windows NT, 2000, XP, and Vista and later, keep a list of all mounted disks, each identified by a unique disk signature, together with the assigned drive letter, in the following registry key.

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

By referring to these entries, the operating system is able to remember the drive letters assigned to each disk between boots. The disk signature/disk ID 0x42AE745C, as seen in the above figure (also known as the NT Serial Number) is the four bytes that are recorded by the operating system at address 0x1B8 in the master boot record. This value is written when Windows initializes a new disk. If it is missing (e.g., on a raw disk), Windows generates one. Windows uses this disk signature to keep track of volumes and drive letter assignments. By matching the MBR disk signature with the values in the SYSTEM\MountedDevices registry key, you can trace which physical devices correspond to which drive letter in Windows. This is very useful in digital forensics for volume identification and drive mapping.

While the partition table is the piece of the master boot record that you are going to be most interested in, the boot loader is a critical component of the master boot record. The boot code is operating system-specific, which means that every operating system has its own code to load the operating system. In the case of Linux, you may find several different boot loaders, each with its own boot code. The boot code has to locate the actual operating system to be loaded from disk and read it into memory, transferring control over to it, once the system is loaded.

The Partition Table

The partition table is a 64-byte data structure that carries details about the various types and locations of partitions on a hard drive. The standard layout of this table is independent of the operating system. The partition table always starts at the offset address 0x1BE in the master boot record sector. There can only be four entries in the master boot record partition table, and each entry is 16 bytes long. Each partition will have a Volume Boot Record (VBR) at sector zero of the partition. The system uses the VBR to boot the operating system in the active partition. It is an operating system-specific artifact and is created when the partition is formatted. It will also appear on unpartitioned devices, such as removable media, for example, a USB or floppy disk. The figure below shows the use of each of the bytes in the partition table entry.

The first byte is the boot flag, which indicates whether or not the partition is active, the value being either 0x80 for active/bootable or 0x00 for not bootable. It is useful to note that it is this boot flag value that is used to identify the device in the INT 13h call to fetch the boot sector of the active partition.

The next three bytes, starting from relative offset 01h, hold the CHS start address of the partition. All eight bits of the first byte, offset 01h, are used to represent the head value, giving a maximum of 256 heads (0 to 255). The two most significant bits of the second byte, relative offset 02h, together with the 8 bits of the third byte, relative offset 03h, form the 10-bit value for cylinders, giving a maximum of 1024 cylinders (0 to 1023). Finally, the remaining 6 bits of the second byte, relative offset 02h, form the sector value with a maximum of 63 sectors (1 to 63). Please refer to the above image for the decoding and calculation of these starting CHS values.

The next byte, at offset 04h, indicates the type of partition. A DOS partition table entry allocates one byte for the partition type. No authoritative standards body defines DOS partition types. A community effort to maintain a list of known partition types is located here. In the partition table seen in the above figure, the value of the partition of analysis, i.e., partition #3 (0x0C), indicates it is a FAT 32 partition. The values for the first two partitions (0x07 and 0x0C) indicate they are NTFS and FAT 32 partitions, respectively. A hexadecimal value of 0x05 (CHS addressing) or 0x0f (LBA addressing) or 0x85 (for Linux systems) indicates it is an extended partition (to be discussed presently). We would then have to look into the extended boot records of the extended partitions. During a forensic examination, DOS or GPT partition types may indicate the contents. But beware, users can define any partition type they want and then create a completely different filesystem. The partition type is used as an indicator for various tools, but there is no guarantee it will be correct. If a partition type is incorrect and misleading, it could be an attempt to hide or obfuscate information (similar to trying to hide a file type by changing the file extension).

At relative offset 05h, another three bytes are used to specify the CHS address of the last sector of the partition, in exactly the same format as that used for the start address. From the above figure, the CHS address of the last sector of the partition is decoded as (H = 0xFE = 254), (S = 0xFF = 255), and (C = 0xFF = 255). 

At relative offset 08h, four bytes are used to represent the start sector in LBA address form, that is, as a single number relative to the start of the disk, with the first sector on the disk being LBA 0. One word of caution might be appropriate here. In calculating this value, it is essential to remember that it is held in little-endian format. It means to obtain the real value of the multiple-byte number, you need to reverse or flip the order of raw data - 0x1D0D9045, which translates to LBA sector 487,428,165.

Finally, the last four bytes, commencing at relative offset 0ch (relative offset 12_d), represent the number of sectors in the partition, again, held in little-endian format. Reordering these bytes gives us 0x000E37BA, which translates to 931,770 sectors.  With a sector size of 512 bytes, this results in a partition size of (931770 * 512) = 477,066,240 bytes. Converting to megabytes, we obtain [477,066,240/(1024 * 1024)] = 454.97 MB.

Extended Partition

To overcome the limitation of having only four partitions on the disk, one of the entries in the master boot record partition table can be set instead to be an extended partition entry by means of the partition type values 0x05 or 0x0F.  This primary extended partition, which takes up a primary partition slot, is essentially no more than a container for additional partitions called secondary or logical partitions. The first sector of the primary extended partition holds another partition table, with the rest of that sector usually set to zeros.

This primary extended partition does not hold filesystems directly. Instead, it contains a linked list of Extended Boot Records (EBR), each describing one logical partition. This continues until the final logical partition defines only itself. The logical partitions are the actual usable partitions inside the primary extended partition. The first EBR sits at the start of the primary extended partition and describes the first logical partition. If more logical partitions exist, the first EBR also points to the next EBR, forming a chain of EBRs.

This extended partition table starts at the same offset address within the sector as the master boot record partition table, that is, at 0x1BE, and although it is four 16-byte partition entries in length, terminated as before by 0x55AA, it is only permitted to hold a maximum of two partition entries. 

Putting these partitioning concepts together, we obtain a layout of an MBR-partitioned disk as shown in the figure below.

It is possible, using specialist software, to mark a partition as “hidden” such that many operating systems will no longer access it.  More generally, many hidden partitions can be obtained by performing an OR operation on the partition byte with the value 0x10.This is certainly the case for partition bytes 0x01, 0x04, 0x06, 0x07, 0x0B, 0x0C, 0x0E, 0x0F, and 0x83 resulting in the hidden equivalents 0x11, 0x14, 0x16, 0x17, 0x1B, 0x1C, 0x1E, 0x1F, and 0x93. Data could also be hidden between several unused sectors at the beginning of each partition, between the partition table sector and the boot record sector. These are also very good places to look for hidden virus code.

Limitations of the DOS-Style (MBR) Partitioning Scheme

• MBR uses 32-bit values to store the number of sectors. With 512-byte sectors, the maximum addressable disk size is (2³² * 512 bytes) = 2 TB. Disks larger than 2 TB cannot be fully utilized under the MBR partitioning scheme.
• MBR supports a maximum of four partitions, one of which can be designated as an extended partition which can contain multiple logical partitions. This adds complexity and inefficiency compared to modern schemes.
• The partitioning information and bootloader code are stored in the first 512 bytes of the disk. If this sector becomes corrupted (for example, by  malware, accidental overwrite, or disk errors), the entire disk can become unbootable and partitions unreadable.
• It is tied to the legacy BIOS boot process. It does not support UEFI natively, which is now the standard for modern systems.