Navigating the GPT Partition Entry Array for Forensic Analysis. Part 3.

Part 3

Introduction

In our previous posts, we laid the groundwork for understanding the GUID Partition Table (GPT) by examining the Protective MBR and the GPT Header. Now, in Part 3, we turn our focus to the GPT Partition Entry Array. This crucial component of the GPT schema provides a detailed map of all partitions on the disk, each entry holding vital information about a specific partition. By understanding the structure and function of the GPT Partition Entry Array, you’ll gain a comprehensive view of how GPT manages partitions, enabling more effective analysis, troubleshooting, and data recovery.

GPT (GUID Partition Table) Partition Entry Array

The GUID Partition Table (GPT) Entry Array is a critical part of the GPT partitioning system, which is used to define and manage the partitions on a hard disk. Think of it as a detailed list that records the specifics of each partition on the disk, like a library’s catalog that lists the details of each book.

Key Components of the GPT Entry Array:

Partition GUID: Each partition has a unique identifier, known as the Partition GUID, which ensures that each partition can be uniquely identified, even across different systems.

Unique ID: This is another unique identifier specific to each partition, providing an additional layer of unique identification.

Starting LBA (Logical Block Addressing) of the Partition: This indicates the starting point of the partition on the disk. It tells the system where the partition begins.

Ending LBA of Partition: Like the starting LBA, this indicates where the partition ends on the disk.

Attribute Bits: These are flags that provide additional information about the partition, such as whether it is bootable or if it has any special attributes.

Name of Partition: Each partition can have a human-readable name, making it easier for us to identify the purpose or content of the partition. This name is terminated with a null character to mark the end of the string.

Let’s break down all of these in detail so that you fully understand each entry in the array.

When the disk is setup as a GPT disk, the first partition that will be created is the EFI System Partition (ESP). This is a hidden partition not readily available to users. This partition will be found at sector 2048 and is formatted as FAT32 for compatibility with all systems (Windows, Linux, MacOS).

The screenshot above shows a standard Windows 10 install where the Microsoft Reserved Partition was created along with one Basic Data Partition that was specified by the user during install.

Below is an excerpt of GUIDs from a table found at the GUID Partition Table Wikipedia page:

Source: https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs

Of course, the GUID will not be stored in the GUIID form when viewing the values within the hex viewer. 

The GUIDs are converted just as we did in the previous blog post, but can also be easily seen when viewing it in HxD:

We can confirm the volume partition GUID’s with the command: mountvol.exe

Knowing the starting LBA and ending LBA, we can calculate how big the partition is. For example, the EFI partition:

Starting LBA: 2048

Ending LBA: 534527

Total length: 532479 sectors x 512 bytes/sector = 272629248 bytes which is 260 MB.

The Backup GPT Partition Entry Array

The Backup GPT Partition Entry Array is located at the end of the disk and before the GPT Header, specifically 33 sectors before the end of the disk (LBA (n – 33) where n is the last sector of the disk). We can also do some calculation as to why it is 33 sectors before the end of disk, or 32 sectors before the Backup GPT Header.

Each partition entry is 128 bytes and there are 128 total entries in the Entry Array. That means there are 16,384 sectors in the Array or 32 sectors (16384/512). 

The Backup GPT Header points to the location of the Backup GPT Partition Entry Array

Backup GPT Partition Entry Array Near End of Disk

Repairing a GPT Partition Entry Array

Repairing the GPT Partition Entry Array is as straight forward as copying the 16,384-byte backup found 33 sectors from the end of the disk and pasting them in LBA 2 through 3. There’s no need for any alterations/modification of hex values as these are exact copies.

The backup GPT located near the end of the disk is the same as the primary. In fact, carving out the sectors for each and hashing them shows that they are an exact match. 

Conclusion

In this third installment, we have thoroughly examined the GPT Partition Entry Array, a critical component of the GPT schema. By breaking down each field within the partition entries, from the GUIDs to the attribute bits and partition names, we have seen how GPT provides a robust framework for organizing and accessing disk data. This knowledge is essential for forensic investigations, data recovery, and system administration, equipping you with the skills to navigate and manipulate GPT-partitioned disks effectively. Stay tuned for our next post, where we will delve into practical applications and case studies, bringing theory into practice.

Facebook
Twitter
Email
Print
Picture of James Eichbaum
James Eichbaum

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to stay updated!

Never miss a post – get notified whenever we publish a new blog article, forensic guide, or share important updates.

Latest Post

Excellence in Digital Forensics Training and Consulting
Instagram Twitter Youtube
Useful Pages
Services
Copyright © 2025 elusivedata.io, All rights reserved.