Partition analysis is an essential part of digital forensics because partitions define how storage media is divided, organized, and accessed. Understanding partitions helps investigators identify hidden areas, recover deleted data, reconstruct damaged structures, and analyze disk layouts accurately.
A partition is a logically separated section of a storage device. Each partition can contain its own file system, boot information, and data structures. Forensic partition analysis focuses on identifying these partitions, locating their boundaries, and understanding how they are used.
What Is a Partition?
A partition is a section of a hard drive or storage device created to organize and manage data.
A single physical disk can contain multiple partitions, each acting like an independent storage unit.
Examples:
-
A laptop with C: and D: drives (two partitions)
-
A mobile phone with system and user data partitions
-
A USB drive with hidden boot partitions
Partitions help the system boot, store files, manage recovery areas, and separate system data from user data.
Partition Tables
Partition tables define how the disk is divided. They store information such as:
-
Partition start and end points
-
File system type
-
Boot flags
-
Partition size
-
Partition order
The two most common partition schemes are MBR and GPT.
MBR (Master Boot Record)
MBR is the older and simpler partition scheme used in many older systems and small drives.
Features of MBR
-
Supports up to 4 primary partitions
-
Maximum disk size of 2 TB
-
Stores partition table in the first 512 bytes of the disk
-
Contains bootloader code
Forensic Considerations
-
Easily overwritten by malware
-
Can hide data using extended partitions
-
Vulnerable to boot sector infections
MBR layout:
-
Bootloader (first 446 bytes)
-
Partition table (64 bytes)
-
Boot signature (2 bytes)
Investigators analyze the partition table entries to identify active, hidden, or corrupted partitions.
GPT (GUID Partition Table)
GPT is the modern partition scheme used on all recent Windows, macOS, and Linux systems.
Features of GPT
-
Supports up to 128 partitions (in typical implementations)
-
Supports disks larger than 2 TB
-
Stores multiple backup partition tables
-
Uses globally unique identifiers (GUIDs)
GPT Structure
GPT contains:
-
Protective MBR (prevents legacy tools from overwriting GPT)
-
Primary GPT header
-
Partition entry array
-
Backup GPT header at the end of the disk
Forensic Considerations
-
More resilient due to backup tables
-
Easier to detect tampering
-
Provides richer metadata
-
Useful for recovering deleted or corrupted partitions
Types of Partitions
1. Primary Partitions
Bootable and contain operating system or user data.
2. Extended Partitions (MBR only)
Allows more than four partitions by acting as a container for logical partitions.
3. Logical Partitions
Located inside extended partitions; treated like normal partitions by the OS.
4. System Partitions
Contain bootloader, recovery tools, or OS files.
Examples:
-
EFI System Partition (ESP)
-
Windows Recovery Environment
-
Android system partition
5. Hidden Partitions
Used by vendors or attackers.
Examples:
-
OEM recovery partitions
-
Malware-created partitions
-
Encrypted volumes (BitLocker, VeraCrypt)
Hidden partitions are common in forensic investigations and must be identified manually.
Partition Artifacts Useful in Forensics
Partition Boundaries
Investigators check the start and end sectors to find inconsistencies or hidden areas.
File System Signatures
Each file system has a unique signature (magic number).
For example:
-
NTFS: "NTFS" at specific offset
-
EXT4: 0xEF53
-
FAT32: “FAT32” string
Signatures help detect deleted or overwritten partitions.
Unallocated Space
Unallocated space may still contain remnants of deleted files or entire old partitions.
Slack Space
Unused space inside partially filled sectors may contain hidden data.
Hidden or Corrupted Partitions
Investigators use tools to locate partitions not shown by normal OS tools.
Common Tools for Partition Analysis
-
fdisk
-
parted
-
TestDisk
-
GParted
-
FTK Imager
-
Autopsy
-
Sleuth Kit (mmls, fsstat)
These tools help list partitions, inspect metadata, recover lost partitions, and analyze structures.
What Investigators Look For
1. Missing or Deleted Partitions
Attackers sometimes delete partitions to hide traces. Forensic tools can often recover them.
2. Partial Overwrites
If only the partition table is deleted, the data is usually still recoverable.
3. Hidden Storage Areas
Attackers or malware may hide data in:
-
Unallocated space
-
Extended partition gaps
-
Non-standard partition entries
4. Encrypted Partitions
Indicators include random-looking data or BitLocker metadata.
5. Partition Tampering
Mismatch between partition table entries and actual file system content suggests manipulation.
Summary
Partition analysis is a crucial step in digital forensics. By understanding partition schemes like MBR and GPT, identifying hidden or corrupted partitions, analyzing file system signatures, and examining unallocated space, investigators can recover lost data, uncover tampering, and gain insight into how a storage device was used. Accurate partition analysis is the foundation of deeper forensic investigations, including file system and data recovery work.