Running head: PARTITION ANALYSIS CONSIDERATION 1

Assignment 5: Partition Analysis Consideration

Livia Nguyen

CFR105

Professor: Frank Griffits

June 9, 2017
PARTITION ANALYSIS CONSIDERATION 2

Abstract

The document talks about BSD, Sun Solaris, and GPT system analysis consideration and

what needs to be looked at during an investigation. There will be a comparison of the different

type of system and how each of them work. It will talk about some tools or command that the

forensic examiner can use to verify or determined certain information on the system. There will

be some information on each of the different systems, and what the suspect can be hidden within

the partition sectors.

PARTITION ANALYSIS CONSIDERATION 3

BSD, Solaris, and GPT Partition Analysis Consideration

The BSD system contains many structures that needed to be look at closer to figuring out

the correct information was being found during the analysis process. FreeBSD allows access to

all BSD partitions and all slices, therefor the forensic examiner needs to cover the entire physical

disk during the investigation process. The forensic examiner must know that each letter in the

partition label defines different types of partition. Partition name with a is usually the root

partition. The b partition is for when user swap space of the system and the c partition is the

entire slide located on the DOS partition. Finally, there is also the d partition, which can be

anything, and that will take the examiner a little more time to figure out exactly what it is.

There is also NetBSD and OpenBSD, which give gives the user access to the entries

into a BSD disk label structure unlike how FreeBSD give full access to the user. NetBSD and

OpenBSD are a little bit more complicated than FreeBSD as the structure can describe partitions

located in any location on the disk, and not just the DOS partition like FreeBSD. Within NetBSD

and OpenBSD, the ODS partition is ignored after it located and loaded start of the partition. In

reality, it could be used to compare the DOS partition table with the BSD disk label to see if

there is any overlap that mean that something is there or missing. If the system happens to have

both Windows and OpenBSD on it, the user will be able to get access to a FAT partition from

OpenBSD, and it can be found in both the DOS partition table and the BSD disk label. To get

access into the NTFS FOS partition, the examiner needed an additional entry in the disk label.

When the analysis is performed on NetBSD or OpenBSD, the examiner should focus on all the

partitions that listed on the disk label.

PARTITION ANALYSIS CONSIDERATION 4

Forensic examiner must take into consideration that disk label partition table can

be modified by the owner by using a hex editor or changing the entries of the partition table. It is

important to understand what exactly why the partition and what it's function and what it might

be used for before doing further investigation of that partition. In a FreeBSD system, forensic

examiner is required to perform an analysis on each of the ODS partition and BSD partition in

the disk label to be able to complete analyzing the whole system. BSD system can contain an

encrypted boot pool that will automatically create a boot directory on the disk. During the

investigation, the examiner must know whether there is any encryption on the BSD system, and

that will allow them to determine how to move forward with the analysis.

The disk label structure has a different type field for each of the BSD partitions located

on the system and it is not enforced like Microsoft Windows. A new device is created for every

disk label entry within the BSD system that allow the user to mount any partition type. The

forensic examiner knows that because of that function it could not identify a known file system,

that is why the file system of the system might be FAT, but it will show that it is an old UNIX

format. The disk label structure contains between 276 to 404 bytes, and the rest of the 512-

byte of the sector can be used to hide data, that is why it is important for forensic examiners to

also check the sector for hidden evidence. During examining process, if the DOS partition table

happens to be corrupted and the system was not able to identify the BSD type partition,

0x82564557 signature value searches can be performed as an alternative way to figure out what

BSD-type partition that cannot be identified.

Solaris operating system is primarily being used by large servers, and desktop systems. It

uses two different partitions, but it depends on the size of the disk on the system and the Solaris
PARTITION ANALYSIS CONSIDERATION 5

version that was being used. Solaris 9 has the ability to support file system with the size of 1-

terabyte or larger. Solaris uses EFI partition tables with a 64-bit address field. The disk label

does not have a specific field system type for each of the partitions, unlike BSD and GPT. The

analysis consideration for Solaris is similar to BSD and GPT. Solaris also has some unused

value in the disk label, and could be where the suspect is hiding data. Always analyze the disk

and look for unused space in the partition, that could be hidden. Even if the disk label structure

stated the location of the partition, it could just be a false location. Similar to BSD system, if a

disk label cannot be determined due to corruption, searches for signature value of 0x600DDEE

can be performed to figure out the disk label.

GPT system is Intel-based with IA64 unlike BSD system using IA32. It uses Extensible

Firmware Interface (EFI), but it can also be used by other non-Intel system. GPT disk is rare, and

most of forensic examination tools do not have the function to support them. Using a windows

system will be hard to get anything done on the analysis. However, a forensic examiner can have

used a Linux-based OS to break up the GPT disk into multiple partition, which will allow them

to use analysis tools from different file system. The sleuth kit, a command-line tools that

allow the forensic examiner to analyze disk images and recover file also support GPT partition.

The examiner can use the sleuth kit to break up the GPT partition and do further examination on

it. The GPT disks also have a function to recover to its original table because it always has a

backup copy ready to use in cased the table is corrupted. Similar to other systems, unused

portion of the sector can be used to hide data and in this cased hidden data can be found in sector

0 and sector 1 or any unused entries that exist within the partition. All three systems can contain

hidden data within their sector, and it shows that it is important to pay more attention to each of

the sector or any entries that have not been used.

PARTITION ANALYSIS CONSIDERATION 6

References

Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.

Allocating Disk Space. (n.d.). Retrieved June 09, 2017, from

https://www.freebsd.org/doc/handbook/bsdinstall-partitioning.html

Open Source Digital Forensics. (n.d.). Retrieved June 09, 2017, from https://www.sleuthkit.org/

GUID Partition Table (GPT). (n.d.). Retrieved June 07, 2017, from http://www.ntfs.com/guid-

part-table.htm