EFI or GUID Partition header as used on Macs and newer PCs
A standard boot sector partition table saves start sector and lengths as a 32 byte number. When using 512 byte sectors, this has a 2 TB capacity. RAID disks have been larger than this for a long time, but stand alone disks are becoming available with this capacity.
The replacement for the standard boot sector partition table is EFI partitions (Extensible Firmware Interface) , also known as GUID partitions. Rather than describing a partition with 16 bytes, there is a 128 byte record, and of most importance, numbers are 64 bit numbers, rather than 32 bit numbers. The maximum capacity can there be described as very very large.
To remain compatible, such a disk will start with a standard boot sector, and partition table, but the partition type will be set as 0xEE.
The standard started in 1998 by IBM, and the Unified EFI standard started about 2005. For main stream products it was first adopted by Apple when they started shipping Intel based Macintoshes in 2006. The other description for this means of specifying disks is with GUID partition table
Sector 1, Partition table header
00000000 45 46 49 20 50 41 52 54 - 00 00 01 00 5C 00 00 00 EFI PART \
00000010 57 EA 15 5F 00 00 00 00 - 01 00 00 00 00 00 00 00 W_
00000020 0F 31 51 5D 01 00 00 00 - 22 00 00 00 00 00 00 00 1Q] "
00000030 EE 30 51 5D 01 00 00 00 - AC 09 2F FA D1 04 93 4F 0Q] /“O
00000040 92 9F E4 60 39 9C 6B 70 - 02 00 00 00 00 00 00 00 ’`9kp
00000050 80 00 00 00 80 00 00 00 - 06 4F 4F 6F 00 00 00 00 € € OOo
This always starts with the text EFI PART followed by the version number (1) and length (0x5c). Offset 0x18 is the address of this sector (1) and at offset is the location of a backup copy. In this example it is at 0x15D51310F, or about 2.9TB
Offset 0x28 is the address of area used for partition data (0x22 in this example)
Offset 0x38, for 16 bytes is the Disk GUID, a signature string for this EFI
Offset 0x48 is the number of defined partitions on this disk
Sector 2 and onwards, partition entries
00000000 16 E3 C9 E3 5C 0B B8 4D - 81 7D F9 2D F0 02 15 AE \ M}-®
00000010 6E D9 3E F6 CE 0D B5 42 - A5 B8 8A 0B 10 6A 55 E3 n> B jU
00000020 22 00 00 00 00 00 00 00 - 21 00 04 00 00 00 00 00 " !
00000030 00 00 00 00 00 00 00 00 - 4D 00 69 00 63 00 72 00 M i c r
00000040 6F 00 73 00 6F 00 66 00 - 74 00 20 00 72 00 65 00 o s o f t r e
00000050 73 00 65 00 72 00 76 00 - 65 00 64 00 20 00 70 00 s e r v e d p
00000060 61 00 72 00 74 00 69 00 - 74 00 69 00 6F 00 6E 00 a r t i t i o n
00000070 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000080 A2 A0 D0 EB E5 B9 33 44 - 87 C0 68 B6 B7 26 99 C7 3Dh&™
00000090 0A CD 32 5D 7E A5 35 48 - 9F B3 D7 0A A5 1F 77 EF 2]~5H w
000000A0 00 08 04 00 00 00 00 00 - FF 2F 51 5D 01 00 00 00 /Q]
000000B0 00 00 00 00 00 00 00 00 - 42 00 61 00 73 00 69 00 B a s i
000000C0 63 00 20 00 64 00 61 00 - 74 00 61 00 20 00 70 00 c d a t a p
000000D0 61 00 72 00 74 00 69 00 - 74 00 69 00 6F 00 6E 00 a r t i t i o n
000000E0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000F0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Each partition entry is 0x80 (128) bytes long. Shown above are therefore two entries
Each entry started with a 16 byte string, or Globally Universal ID (GUID). Each string is unique, and about such strings have been defined for different type of disk partition. CnW detects the most common ones for PCs and Apple computers. However, this list will grow. The second 16 bytes is unique for each partition - this is in efect a disk partition unique serial number.
Offset 0x20 points to the start sector of the partition
Offset 0x28 points to the final sector of the partition, 0x40021 in the first example and 0x15D512fFF in the second example. The second example also shows a sector nunber that is greater than 32 bits, and would not be possible with a standard boot sector partition table.
The final part of the partition is a description string.
For users with forensic features, the details of each partition are stored in the log
|
