WEBVTT

0:00:09.800000 --> 0:00:12.600000
 Okay, we're going to talk about
 this partitioning here.

0:00:12.600000 --> 0:00:18.500000
 There really are two types of partition
 schemas that we're going to worry

0:00:18.500000 --> 0:00:22.660000
 about in this course, and we're only
 going to focus on one, and that's

0:00:22.660000 --> 0:00:24.540000
 going to be master boot partition.


0:00:24.540000 --> 0:00:29.280000
 For now, understand that there's master
 boot record and good partition

0:00:29.280000 --> 0:00:35.260000
 table. For now, just understand that
 good partition table exists, and

0:00:35.260000 --> 0:00:41.900000
 we're going to focus in on our master
 boot record or MBR partitions.

0:00:41.900000 --> 0:00:46.180000
 So what you can see in this chart is
 an example of a partition table with

0:00:46.180000 --> 0:00:55.300000
 four partitions, and it totals just
 shy of about 16 gigabytes of space.

0:00:55.300000 --> 0:01:00.600000
 If you notice, the partition starts
 on sector 63, which is incredibly

0:01:00.600000 --> 0:01:04.020000
 common, and then you can see how we
 have start in, start in, start to

0:01:04.020000 --> 0:01:08.500000
 end on that. And this is kind of transitioned
 in a human readable format.

0:01:08.500000 --> 0:01:12.280000
 Keep it in mind that if you were to use
 a partition editor that you would

0:01:12.280000 --> 0:01:16.720000
 be seeing this represented
 in hexadecimal format.

0:01:16.720000 --> 0:01:19.040000
 So what is the master boot record?


0:01:19.040000 --> 0:01:23.800000
 The master boot record is going to be
 where the BIOS is going to hit to

0:01:23.800000 --> 0:01:25.800000
 try and look for some
 bootable partitions.

0:01:25.800000 --> 0:01:30.220000
 Okay. What it does is it allocates the
 first sector of a hard drive, and

0:01:30.220000 --> 0:01:34.080000
 it holds three very important
 pieces of information.

0:01:34.080000 --> 0:01:41.200000
 It's going to house the boot code, the
 partition table, and a signature.

0:01:41.200000 --> 0:01:45.820000
 Your boot code is going to start right
 at offset zero, which is which

0:01:45.820000 --> 0:01:48.440000
 is sector is the very first
 part of sector one.

0:01:48.440000 --> 0:01:52.800000
 And if you look at it, you can kind of
 see some basic types of information

0:01:52.800000 --> 0:01:55.400000
 in the text ASCII interpretation.

0:01:55.400000 --> 0:01:59.520000
 So you can kind of get a feel that I
 don't really understand what's going

0:01:59.520000 --> 0:02:02.800000
 on, but I see some text that make
 me feel like it's a boot up.

0:02:02.800000 --> 0:02:10.860000
 And then what you're going to see starting
 at about offset 446 is that

0:02:10.860000 --> 0:02:13.020000
 you're going to see
 the partition table.

0:02:13.020000 --> 0:02:19.460000
 The partition table for master boot record
 consists of four 16 byte entries

0:02:19.460000 --> 0:02:21.960000
 that describe the various
 different partitions.

0:02:21.960000 --> 0:02:30.300000
 And then at offset 510, you're going
 to see a two byte sequence called

0:02:30.300000 --> 0:02:34.840000
 5, 5, 8, and that's the signature or
 the magic number that signifies the

0:02:34.840000 --> 0:02:41.780000
 end of the sector and the end
 of the partition tables.

0:02:41.780000 --> 0:02:46.140000
 The boot code is going to
 begin after about 446.

0:02:46.140000 --> 0:02:48.500000
 And that's going to be
 in the MBR sector.

0:02:48.500000 --> 0:02:53.260000
 Modern operating systems today would
 require boot code that is so large

0:02:53.260000 --> 0:02:56.420000
 that it won't sit in
 this 446 byte limit.

0:02:56.420000 --> 0:03:00.900000
 So what we're going to do with that
 is we're going to take the MBR and

0:03:00.900000 --> 0:03:07.400000
 we're going to create what's called
 a VBR or volume boot record.

0:03:07.400000 --> 0:03:09.180000
 And this is kind of how
 it's represented.

0:03:09.180000 --> 0:03:12.660000
 We see the master boot record
 in a very small code area.

0:03:12.660000 --> 0:03:16.320000
 After the master boot record is going
 to be VBR and then you're going

0:03:16.320000 --> 0:03:18.560000
 to see that full first partition.

0:03:18.560000 --> 0:03:20.820000
 And if you have a second partition,
 you're going to see the repeat, the

0:03:20.820000 --> 0:03:22.720000
 VBR and the partition 2.

0:03:22.720000 --> 0:03:27.120000
 And why? It's mainly because of the
 differences between the MBR and the

0:03:27.120000 --> 0:03:32.140000
 VBR. VBRs exist at the beginning of
 each volume and then MBRs exist at

0:03:32.140000 --> 0:03:34.180000
 the beginning of the disk.

0:03:34.180000 --> 0:03:38.820000
 Also keep in mind that the VBR is operating
 system specific while the

0:03:38.820000 --> 0:03:43.920000
 MBR is not really concerned about what
 type of operating system is going

0:03:43.920000 --> 0:03:45.100000
 to be on the disks.

0:03:45.100000 --> 0:03:50.540000
 It is really a set of pointer records
 that point to where the boot code

0:03:50.540000 --> 0:03:55.860000
 is. Why? Because VBR essentially got
 bigger and bigger as disk got bigger.

0:03:55.860000 --> 0:04:00.760000
 Single sector MBR just could hold all
 the data necessary to boot up an

0:04:00.760000 --> 0:04:01.900000
 operating system.

0:04:01.900000 --> 0:04:06.300000
 And so that's why we just point to that
 VBR and then from there the VBR

0:04:06.300000 --> 0:04:08.820000
 takes care of booting.

0:04:08.820000 --> 0:04:13.780000
 So for example, on that, if you were
 going to boot a partition, containing

0:04:13.780000 --> 0:04:18.900000
 a Linux operating system, the MBR, the
 master boot record code would point

0:04:18.900000 --> 0:04:25.120000
 to the VBR and then that VBR would
 more than likely contain something

0:04:25.120000 --> 0:04:30.660000
 called grub and it would use that
 to boot the Linux boot code.

0:04:30.660000 --> 0:04:36.840000
 If we kind of look at here here is
 how the MBR sector is laid out.

0:04:36.840000 --> 0:04:41.540000
 If you see we start at offset
 446 and we end at 461.

0:04:41.540000 --> 0:04:46.760000
 That's going to contain 16 bytes of
 that descriptive boot code and then

0:04:46.760000 --> 0:04:51.720000
 we have that for three more entries
 and three more partitions.

0:04:51.720000 --> 0:04:56.980000
 And keep in mind that the entries are
 always 16 bytes of piece and that

0:04:56.980000 --> 0:05:02.820000
 means that master boot record
 can only hold four entries.

0:05:02.820000 --> 0:05:09.360000
 If we look at this table here, we can
 kind of see how the offsets are

0:05:09.360000 --> 0:05:10.420000
 and how we describe it.

0:05:10.420000 --> 0:05:16.420000
 We're going to look at whether or not
 it's an active boot device and that's

0:05:16.420000 --> 0:05:20.840000
 going to be that's going to be described
 by the hexadecimal 80.

0:05:20.840000 --> 0:05:23.860000
 That's that zero X80 you see.

0:05:23.860000 --> 0:05:25.320000
 That's not decimal 80.

0:05:25.320000 --> 0:05:27.040000
 That's hexadecimal 80.

0:05:27.040000 --> 0:05:32.820000
 So if the if the first byte of the partition
 has the hexadecimal 80 marker,

0:05:32.820000 --> 0:05:35.760000
 that means that that is the
 active boot partition.

0:05:35.760000 --> 0:05:39.580000
 The next set of three bytes is going
 to give you your cylinder head sector

0:05:39.580000 --> 0:05:43.200000
 value as to where that
 partition begins.

0:05:43.200000 --> 0:05:47.020000
 And then we look at a partition descriptor
 in the next byte and that's

0:05:47.020000 --> 0:05:51.960000
 going to be what type of operating
 system or file system, particularly

0:05:51.960000 --> 0:05:56.080000
 what type of file system is
 going to be expected there.

0:05:56.080000 --> 0:05:59.880000
 And then we're going to see the ending
 cylinder head sector value and

0:05:59.880000 --> 0:06:04.980000
 then a beginning of maybe a LBA sector,
 if it's a modern drive, and then

0:06:04.980000 --> 0:06:08.940000
 we can see the partition size
 in the remaining bytes.

0:06:08.940000 --> 0:06:10.000000
 Now let's think about this.

0:06:10.000000 --> 0:06:11.900000
 Let's do a little bit
 of arithmetic here.

0:06:11.900000 --> 0:06:15.700000
 What we're looking at for these maximum
 partition sizes are two to the

0:06:15.700000 --> 0:06:19.560000
 hundred two to the 32nd maximum
 partition size and sectors.

0:06:19.560000 --> 0:06:25.700000
 That is equal to about two quadrillion
 bytes or two terabytes.

0:06:25.700000 --> 0:06:31.260000
 So two terabytes is going to be the
 maximum size supported in a master

0:06:31.260000 --> 0:06:33.560000
 boot record partition table.

0:06:33.560000 --> 0:06:37.320000
 So I know we mentioned both
 master boot record and GPT.

0:06:37.320000 --> 0:06:41.880000
 We haven't discussed about GPT, but
 here is what you need to know about

0:06:41.880000 --> 0:06:45.080000
 acquiring these with tools.

0:06:45.080000 --> 0:06:48.980000
 Our acquisition tools aren't
 really going to care.

0:06:48.980000 --> 0:06:51.840000
 They don't care whether it's
 master boot record or GPT.

0:06:51.840000 --> 0:06:56.680000
 This knowledge is really just to prepare
 you for any unexpected challenges

0:06:56.680000 --> 0:07:00.820000
 such as corrupt partition
 tables and the like.