Session 05
Required resources:
HunterXP_100.raw(MD5: 3D74EB17210F40F03B5FC5C1937927D6) (available on Blackboard)Rajewski_GPT2_100.raw(MD5: 172C1D63EE78E293C66F1045C864E1FB) (available on Blackboard)- HxD (https://mh-nexus.de/en/hxd/) (Windows only)
Task 1: Decoding the MBR
Start HxD and under the menu Tools, open the disk image HunterXP_100.raw (Note: this file is only the first 100 sectors)
Asking HxD to open the file as a disk image will make it prompt you for the sector size, which in this case is the (usual) default of 512 bytes. HxD can therefore help a bit by adding sector markers on the right-hand side of the "Decoded text" view, which will make it easier for you to see where one sector starts, and the other ends.
Now use your notes and the slide deck from Session 05 to answer the following:
1. How many entries are in the partition table?
Click to reveal answer
2. Which partition, if any, is configured to boot on start-up?
Click to reveal answer
3. Explain how you determined your answer to 2
Click to reveal answer
4. What file system would you expect to find in Partition 1?
Click to reveal answer
5. Explain how you determined your answer to 4
Click to reveal answer
6. What is the offset in bytes to the start of Partition 1?
Click to reveal answer
7. Explain how you determined your answer to 6
Click to reveal answer
8. Use the Search menu to go to the offset you found in 6 and mind the number system to enter the offset
9. Write down the first EIGHT hex values you should see.
Click to reveal answer
10. Starting with the first byte at the offset you identified in 6, highlight 1 sector's worth of bytes (click-n-drag)
11. What TWO similarities do you see in the highlighted sector compared to the MBR?
Click to reveal answer
Task 2: Decoding the GPT
Start HxD and under the menu Tools, open the disk image Rajewski_GPT2_100.raw (again, only the first 100 sectors)
Now use your notes and slide deck from Session 05 to answer the following questions.
1. How many entries are in the partition table?
Click to reveal answer
2. Explain how you determined your answer to 1 above
Click to reveal answer
3. For each partition you identified in 1, complete the table below
| GUID (hex values as stored) | GUID (hex values in human-readable form) |
|---|---|
| A2A... | EBD... |
| ... | ... |
| ... | ... |
| ... | ... |
Click to reveal answer
A2A0D0EBE5B9334487C068B6B72699C7 | EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
A2A0D0EBE5B9334487C068B6B72699C7 | EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
A2A0D0EBE5B9334487C068B6B72699C7 | EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
Yes, all four have the same GUID but, for an investigator, it's important to note this down.
4. In the space below, add the partition information for the partitions you listed in Step 3
| Partition type | Size in MiB (Mebibytes) | Partition name |
|---|---|---|
| Basic... | ??? | Basic... |
Click to reveal answer
| Partition Type | Size in MiB (Mebibytes) | Partition Name |
|---|---|---|
| Basic Data Partition (Win) | 200 | Basic Data Partition |
| Basic Data Partition (Win) | 191 | FAT_VOLUME |
| Basic Data Partition (Win) | 191 | FAT2_VOLUME |
| Basic Data Partition (Win) | 191 | FAT3_VOLUME |
5. Show how you calculated the size of each partition listed above
Click to reveal answer
| First |
Last | Number of sectors (Last - First + 1) | Size (NumSectors * 512) | |
|---|---|---|---|---|
| 1 |
128 | 409727 | 409600 | 200 MiB |
| 2 | 509952 | 901119 | 391168 | 191 MiB |
| 3 |
901120 | 1292287 | 391168 |
191 MiB |
| 4 | 1294336 | 168503 | 391168 | 191 MiB |