Finding the right information when you’re looking for it sometimes takes a while. I wanted to share with you some information that I quickly put together on the GPT partitioning scheme.
While doing some course development work for a graduate couse titled “Operating System Analysis“and I wanted to locate a current resource on the GPT partitioning scheme. Of course we could all default back to File System Forensic Analysis by Brian Carrier (of which everyone should have on their bookshelf), but I was hoping for a free resource that students could also reference.
I found a few resources, but the Unified Extensible Firmware Interface Specification paper does an excellent job describing the GPT data structure. Present in the above referenced document you will find technical details as well as visuals to compliment your leaning. It also does somewhat of a comparison of MBR/GPT if you wanted to learn more on that. Most forensicators know about the MBR, but based on conversations with some colleagues few have really examined GPT up close.
Here is a cheat sheet of sorts from the lecture slides building. These include references from the UEFI paper (above) Carrier’s book and Bruce J. Nikkel’s paper, Forensic Analysis of GPT Disks and GUID Partition Tables which was originally published by Elsevier in Digital Investigation The International Journal of Digital Forensics and Incident Response Vol. 6, No. 1-2 (doi:10.1016/j.diin.2009.07.001)
|Slide from Rajewski’s lecture on MBR/GPT as it relates to computer forensic investigations|