Académique Documents
Professionnel Documents
Culture Documents
Livia Nguyen
CFR105
June 9, 2017
PARTITION ANALYSIS CONSIDERATION 2
Abstract
The document talks about BSD, Sun Solaris, and GPT system analysis consideration and
what needs to be looked at during an investigation. There will be a comparison of the different
type of system and how each of them work. It will talk about some tools or command that the
forensic examiner can use to verify or determined certain information on the system. There will
be some information on each of the different systems, and what the suspect can be hidden within
The BSD system contains many structures that needed to be look at closer to figuring out
the correct information was being found during the analysis process. FreeBSD allows access to
all BSD partitions and all slices, therefor the forensic examiner needs to cover the entire physical
disk during the investigation process. The forensic examiner must know that each letter in the
partition label defines different types of partition. Partition name with a is usually the root
partition. The b partition is for when user swap space of the system and the c partition is the
entire slide located on the DOS partition. Finally, there is also the d partition, which can be
anything, and that will take the examiner a little more time to figure out exactly what it is.
There is also NetBSD and OpenBSD, which give gives the user access to the entries
into a BSD disk label structure unlike how FreeBSD give full access to the user. NetBSD and
OpenBSD are a little bit more complicated than FreeBSD as the structure can describe partitions
located in any location on the disk, and not just the DOS partition like FreeBSD. Within NetBSD
and OpenBSD, the ODS partition is ignored after it located and loaded start of the partition. In
reality, it could be used to compare the DOS partition table with the BSD disk label to see if
there is any overlap that mean that something is there or missing. If the system happens to have
both Windows and OpenBSD on it, the user will be able to get access to a FAT partition from
OpenBSD, and it can be found in both the DOS partition table and the BSD disk label. To get
access into the NTFS FOS partition, the examiner needed an additional entry in the disk label.
When the analysis is performed on NetBSD or OpenBSD, the examiner should focus on all the
Forensic examiner must take into consideration that disk label partition table can
be modified by the owner by using a hex editor or changing the entries of the partition table. It is
important to understand what exactly why the partition and what it's function and what it might
be used for before doing further investigation of that partition. In a FreeBSD system, forensic
examiner is required to perform an analysis on each of the ODS partition and BSD partition in
the disk label to be able to complete analyzing the whole system. BSD system can contain an
encrypted boot pool that will automatically create a boot directory on the disk. During the
investigation, the examiner must know whether there is any encryption on the BSD system, and
that will allow them to determine how to move forward with the analysis.
The disk label structure has a different type field for each of the BSD partitions located
on the system and it is not enforced like Microsoft Windows. A new device is created for every
disk label entry within the BSD system that allow the user to mount any partition type. The
forensic examiner knows that because of that function it could not identify a known file system,
that is why the file system of the system might be FAT, but it will show that it is an old UNIX
format. The disk label structure contains between 276 to 404 bytes, and the rest of the 512-
byte of the sector can be used to hide data, that is why it is important for forensic examiners to
also check the sector for hidden evidence. During examining process, if the DOS partition table
happens to be corrupted and the system was not able to identify the BSD type partition,
0x82564557 signature value searches can be performed as an alternative way to figure out what
Solaris operating system is primarily being used by large servers, and desktop systems. It
uses two different partitions, but it depends on the size of the disk on the system and the Solaris
PARTITION ANALYSIS CONSIDERATION 5
version that was being used. Solaris 9 has the ability to support file system with the size of 1-
terabyte or larger. Solaris uses EFI partition tables with a 64-bit address field. The disk label
does not have a specific field system type for each of the partitions, unlike BSD and GPT. The
analysis consideration for Solaris is similar to BSD and GPT. Solaris also has some unused
value in the disk label, and could be where the suspect is hiding data. Always analyze the disk
and look for unused space in the partition, that could be hidden. Even if the disk label structure
stated the location of the partition, it could just be a false location. Similar to BSD system, if a
disk label cannot be determined due to corruption, searches for signature value of 0x600DDEE
GPT system is Intel-based with IA64 unlike BSD system using IA32. It uses Extensible
Firmware Interface (EFI), but it can also be used by other non-Intel system. GPT disk is rare, and
most of forensic examination tools do not have the function to support them. Using a windows
system will be hard to get anything done on the analysis. However, a forensic examiner can have
used a Linux-based OS to break up the GPT disk into multiple partition, which will allow them
to use analysis tools from different file system. The sleuth kit, a command-line tools that
allow the forensic examiner to analyze disk images and recover file also support GPT partition.
The examiner can use the sleuth kit to break up the GPT partition and do further examination on
it. The GPT disks also have a function to recover to its original table because it always has a
backup copy ready to use in cased the table is corrupted. Similar to other systems, unused
portion of the sector can be used to hide data and in this cased hidden data can be found in sector
0 and sector 1 or any unused entries that exist within the partition. All three systems can contain
hidden data within their sector, and it shows that it is important to pay more attention to each of
References
Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.
https://www.freebsd.org/doc/handbook/bsdinstall-partitioning.html
Open Source Digital Forensics. (n.d.). Retrieved June 09, 2017, from https://www.sleuthkit.org/
GUID Partition Table (GPT). (n.d.). Retrieved June 07, 2017, from http://www.ntfs.com/guid-
part-table.htm