Homework 1: MBR and GPT Analysis Due Date: March 13, 2024, 11:59 pm ■ Done By: Individuals ■ Submission: Individually on Gradescope (automatic grading) ■ For Homework 1, you will write a program that analyzes the Master Boot Record (MBR) and GUID Partition Table (GPT) of forensic disk images. Sample raw images and resources for you to use while programming are available here. ■ Download sample raw images and resources We assume you use an x86-64 architecture-based computer for this project. Your program, which must be an executable called boot_info, must take as input the path to a raw image with option -f (files) and offset values with option -o (explained in point 5 below), like so: ./boot_info -f sample.raw -o 123 78 257 1. Before opening the raw image (sample.raw), your program should first calculate MD5 and SHA-256 hash values. The hash values should be stored as MD5-[filename.raw].txt and SHA-256-[filename.raw].txt and should contain only the hash values (case-insensitive), not any other text. For example, if the name of the raw image file is Sparky.raw then your authentication module needs to generate MD5-Sparky.raw.txt and SHA-256-Sparky.raw.txt before opening the raw image. As long as the hash value uses upper- or lower-case letters, it doesn’t matter since we will use an insensitive check when grading. You can check the correct hash value from the “hash_info” folder in the shared link. 2. Next, make sure to open the image in read-only mode to maintain its integrity, then identify the partitioning scheme, distinguishing between MBR and GPT. 1 3. Following that, proceed to locate and extract the partition tables from both MBR and GPT. 4. For MBR output, the MBR type is required to generate partition information, including the hexadecimal value and corresponding type, the start sector address (in LBA), and the size of each partition in decimal. This information should be presented in the following format: (07) HPFS/NTFS/exFAT , 2056320, 208845 Note: For the partition types, You can download the common partition type here. ■ Download the common partition type: csv or json This is the one instance where I will allow students to share information for homework solutions: If a more digitally ingestible version (e.g., JSON) of the partition types were to be distributed among the class, I would accept its use as not violating the academic integrity policy. However, the usual rules apply for citations, etc. As usual, please feel free to ask clarifying questions on Discord. 5. For each partition your program discovers listed in the MBR, a randomly generated offset value will be given in the argument while calling your program. Locate and read in the boot record of the partition (first sector) and output the hexadecimal values of 16 bytes from that offset of the boot record and the ASCII values of the bytes (if the value is not printable, print “.”) as follows: Partition number: 1 16 bytes of boot record from offset X: 67 66 72 65 65 6D 61 6E 67 66 72 65 65 6D 61 6E ASCII: g f r e e m a n g f r e e m a n Note: The above is only illustrative. The given hex values are not valid in a regular boot record. 6. For GPT output, in the same way, boot_info should take a raw image and calculate hash values. Also, search the hexadecimal values for the starting LBA and ending LBA addresses on the disk of each partition. (The random offset values are irrelevant in this case.) 2 So, invoking your program will output data in the following format: (This is not the real value, your output must be different) $./boot_info -f mbr_sample.raw -o 123 76 258 (07), HPFS/NTFS/exFAT , 2056320, 20884534 (07), HPFS/NTFS/exFAT , 2265165, 20884523 (07), HPFS/NTFS/exFAT , 2474010, 20884513 Partition number: 1 16 bytes of boot record from offset 123: aa 66 72 65 65 6D 61 6E ea 66 72 65 65 6D 61 6a ASCII: . f r e e m a n . f r e e m a j Partition number: 2 16 bytes of boot record from offset 076: bb 66 72 65 65 6D 61 6E be 66 72 63 60 6D 64 6b ASCII: . f r e e m a n . f r c ` m d k Partition number: 3 16 bytes of boot record from offset 258: cc 66 72 65 65 6D 61 6E ec 66 72 62 65 67 67 6c ASCII: . f r e e m a n . f r b e g g l $./boot_info -f gpt_sample.raw -o 123 76 258 Partition number: 1 Partition Type GUID : 12345AF12345CA1109876554321AEDF9 Starting LBA address in hex: 0x100 ending LBA address in hex: 0x1234f starting LBA address in Decimal: 256 ending LBA address in Decimal: 74575 Partition name: EFI system partition Partition number: 2 Partition Type GUID : 12345AF12345CA1109876554321AEDF9 Starting LBA address in hex: 0x100 ending LBA address in hex: 0x1234f starting LBA address in Decimal: 256 ending LBA address in Decimal: 74575 Partition name: EFI system partition //Similarly, display all 5 values for all other partitions // If a partition’s GUID is all 0s (unused), you can skip it and check the next partition. The above is only illustrative. The given values are not related to the image used in the assignment. 3 Note: It isn’t necessary for you to include partition entries if the partition type is 0x00 in MBR. For an explanation of this exclusion, please see the first entry in this table: https://en.wikipedia.org/wiki/Partition_type