CSE 469 Computer and Network Forensics - Homework 1: MBR and GPT Analysis
Homework1- f23
Homework 1: MBR and GPT Analysis
For this project, you will write a program that analyzes the Master Boot Record (MBR) and GUID Partition Table (GPT) of forensic images. Sample raw images and resources for you to use while programming are available here.
■ Download sample raw images and resources
We assume you use an x86-64 architecture-based computer for this project. Your program, which must be an executable called boot_info, must take as input the path to a raw image with option -f (files), like so:
./boot_info -f sample.raw
./boot_info -f sample.raw
Before opening the raw image to perform any analyses, your program should first calculate MD5 and SHA-256 hash values for the image (input .raw file). The hash values should be stored as MD5-[imagename.raw].txt and SHA-256-[imagename.raw].txt and should contain only the hash values (case-insensitive), not any other text. For example, if the name of raw image is Sparky.raw then your authentication module needs to generate MD5-Sparky.raw.txt and SHA-256-Sparky.raw.txt before opening the raw image. As long as the hash value uses upper- or lower-case letters, it doesn't matter since we will use an insensitive check when grading. You can check the correct hash value from the "hash_info" folder in the shared link.
Next, ensure that you open the image as read-only and identify the partitioning scheme, whether it is MBR or GPT. Then locate and extract the partition tables from the MBR and GPT. MBR type MUST generate the partition type including hex value and corresponding type, start sector address (LBA), and size of each partition in decimal as follows:
(07) HPFS/NTFS/exFAT , 2056320, 208845
Note
For the partition types, You can download the common partition type here.
■ Download the common partition type: csv or json
This is the one instance where I will allow students to share information for homework solutions: If a more digitally ingestible version (e.g., JSON) of the partition types were to be distributed among the class, I would accept its use as not violating the academic integrity policy. However, the usual rules apply for citations, etc. As usual, please feel free to ask clarifying questions on Discord.
For each partition your program discovers listed in the MBR, locate and read in the boot record of the partition (first sector) and output the hexadecimal values of the first 16 bytes of the boot record and the ASCII values of the bytes (if the value is not printable, print “.”), as follows:
Partition number: 1 |
Note
The above is only illustrative. The given hex values are not valid in a regular boot record.
For GPT output, in the same way, boot_info should take a raw image file and calculate hash values. Also, search the hexadecimal values for the starting LBA and ending LBA addresses on the disk of each partition.
So, invoking your program will output data in the following format: (This is not the real value, your output must be different)
$./boot_info -f mbr_sample.raw ASCII: . f r e e m a n . f r e e m a j ASCII: . f r e e m a n . f r c ` m d k ASCII: . f r e e m a n . f r b e g g l ASCII: . f r e e m a n . f r e e m i b
Partition number: 2 |
//similarly, display all 5 values for all other partitions
//If a partition's GUID is all 0s (unused), you can skip it and check the next partition.
Note
It isn’t necessary for you to include partition entries if the partition type is 0x00 in MBR. For an explanation of this exclusion, please see the first entry in this table: https://en.wikipedia.org/wiki/Partition_type#List_of_partition_IDs
Implementation
Your program must work on Ubuntu 18.04 64-bit or later version with the default packages installed. You may find it helpful to set up a virtual machine to do your development. VirtualBox is a free and open-source VM system.
If you wish to use packages that are not installed on Ubuntu by default, please submit a file with your code named packages, with a list of packages that you would like installed before calling make. Each line of packages must be a valid package name, one package per line. The submission system will automatically install all the dependencies that the package lists.
For example, if you were going to write your assignment in Haskell, you could install the GHC compiler with the following package file:
ghc
ghc-dynamic
In order to test your program, you can use the auto-grader in Gradescope. Yon can access Gradescope on Canvas (left menu).
Submission Instructions
You will need to submit your source code, along with a Makefile and README. The Makefile must create your executable, called boot_info when the command make is run. Your README file must be plain text and should contain your name, ASU ID, and a description of how your program works.
How to make and writing Makefiles: du/~newhall/unixhelp/howto_makefiles.html
Example of Makefile for python:
all:
cp your_code.py boot_info
chmod +x boot_info
clean:
rm boot_info
Submission
Gradescope
