16 septiembre, 2024

What is MBR partition? | Bootcamps

In a storage device, its structure is divided into what we call partitions. Today we mainly find two types of partitioning: GPT or MBR.

In this post, we will talk about the second one, the MBR partition.

MBR Partition: General

The partitioning or MBR partition (master boot record) is made up of a code space hosted in the first sector of the storage device or hard drive and contains the partition table. Partitions of the partition table There can be up to 4 and they are known as primary partitions.. The MBR partition contains information and data regarding where the partition starts and ends and whether it is an active partition or not. In any case, there can only be one active partition in the disk sector. At the end of the MBR partition sector there is a magic number: 0x55AA. This partition has 16 byte registers.

The magic number

The type of data that is stored within the sector is called a magic number. Refers to a specific byte sequence used in the header of certain file types to identify the file format.

They are widely used in file recovery, when searching for deleted files. One of the techniques used is to search a database of magic numbers that it has and search the entire disk for the file. So when you suddenly find a sector or a byte that corresponds to a magic number, you speculate that it is a PDF or a JPG or some other type of file, depending on the number hint you find, until you finally find the number indicated for the type of file being searched.

These magic numbers are usually specific hexadecimal values ​​that indicate the type of file and allow computer programs to determine how to interpret and process the file.. For example, a JPEG file has the magic number «FF D8 FF,» while a PDF file has the magic number «25 50 44 46.»

Understanding MBR partition

The partitions

In the first part of an MBR partition we have information about the partitions. This refers to the sector, that is, The first record of the partition table stores the information in a kind of pointer to the sector where the first byte of that partition is stored. It works the same for the second, third and fourth partitions within the MBR partition. Taking the latter into account, we could determine that they are pointers.

So we have to:

The first bit indicates whether the partition is bootable or not:

00 → It is not a boot partition.
80 → It is a boot partition. If the boot partition does not correspond to this disk, the remaining bits will indicate which disk the boot partition is on. The fourth byte indicates the system type:

disk editor

Disk editor is a program that allows us to analyze the disk and from that disk we can see the partition table.

This tool is quite useful because it already has the patterns saved, so it itself recognizes which sectors have the MBR partitionwhich sectors contain the information of the tables of each partition and, in addition, it paints and divides them so that they can be understood in a better way.

Empty disk spaces

These tools do not give us forensic information as such. This simply helps us to know how the information is structured.

What can happen is that we have to work at a low level and do quite exhaustive research on detection and analysis of malware, there would be certain analyzes in which some malware could modify partition tables, because it leaves us space between one partition and another to store information about it.

Unused sectors after the partition table and before the first partition. Space between partitions. Non-partitioned spaces.

All of these spaces can be used to accommodate malware.

How to learn more?

We have already seen what an MBR partition is and how it works and some of its generalities. If you want to train to be a great professional and work in computer forensics or in any area of ​​cybersecurityAt we have the best intensive and comprehensive course for you. Access our Full Stack Cybersecurity Bootcamp and discover how you can become a specialist in just a few months with the guidance of expert teachers and your own theoretical and practical methodology. Request information now and transform your future!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *