18093906 7COSC003W: CW1

Table of Contents

Introduction……………………………………………………………………………….1
General Advantages and Disadvantages of GPT and MBR……………………………....1
Critical Comparison Between MBR and GPT……………………………………………2
Partitions Creation and How they are Accommodated…………………………...2
Partitions Order Management…………………………………………………….6
Partition Size Information…..………………………...………………………….10
Sector Size Information……..……………………………………………………13
File System Information…..……………………………………………………...13
Volume Name Information…..………………………………………………...…16
Endian Representation…..…………….……………………………….…………17
Windows 10/11 Boot Process Security…………………………………………………...18
Conclusion………………………………………………………………………………..19
Reference List………………………………………………………………………….....20
18093906 7COSC003W: CW1

1- Introduction
Data can be found in two states: either at rest, or in transit. In transit state is when
data travels through wired or wireless communication channels. Data travels from a
source to a destination, and vice versa. These sources and destinations are where data
resides, or where data is in the at-rest state. But what is required to have at-rest data?
A storage location. Devices that store data have hard disks, these disks store data, but
data cannot be stored on a blank disk.
For a disk to be able to store data, it must be first formatted with a certain drive letter,
cluster size, storage size, and file system. This way, the disk can now act as a
container, or a Partition. Is one partition enough to store and process data? The
answer is yes. But partitioning a disk (i.e., logically creating more than one partition)
comes with greater benefits. Taking Windows as an example, one benefit can be to
better organize data, such as using a partition (other than the C: drive that holds the
operating system information) to store applications installation packages and using a
third one to store personal data. This way, data can be easily organized, backed up,
and, in case of encountering a problem that requires Windows to be reinstalled, this
can be done seamlessly within the system partition without affecting other data.
Partitions are not organized or managed randomly, each disk operates according to a
partition table, or a partitioning scheme. A partitioning scheme is data stored at the
beginning of a storage device to determine the layout and the organization of the
partitions within the device. There are two schemes, the MBR (Master Boot Record)
and GPT (GUID Partitioning Table).
This document explains the advantages and disadvantages of both MBR and GPT and
critically compares their technical similarities and differences.

2- General Advantages and Disadvantages of GPT and MBR

The below table demonstrates the advantages and disadvantages of GPT when
compared to MBR according to certain criteria:

Criterion MBR GPT

While MBR is globally supported
on systems that rely on BIOS
(Basic Input/Output System), the
Compatibility DOS/MBR partition tables and
BIOS have design limitations that
do not fit with the requirement of
modern computer systems [1]
MBR can allocate up to
Size 0xFFFFFFFF sectors for a single
partition size, which means each
GPT is designed to overcome
the limitations of the MBR and
is compatible with modern
UEFI (Unified Extensible
Firmware Interface) systems,
but might not be supported by
older systems
GPT allocates up to
0xFFFFFFFFFFFFFFFF
sectors per partition, which is

Page | 1
18093906 7COSC003W: CW1

partition can only hold a equal to 8 Zettabytes

maximum of 2 Terabytes of data
MBR’s architecture allows the Disks working on GPT can
Partitions
creation of up to 4 partitions only have up to 128 partitions
GPT provides a 16-byte
Partition Type GUID
MBR provides unique code for
(partitions can have the same
each partition to determine its
ID if they are, for example,
type, for example, 0x83 indicates
Windows Basic Data
that a certain partition is
Labeling Partitions), and a 16-byte
formatted with a Linux native file
Unique Partition GUID (to
system. However, these codes are
distinguish one partition from
limited and are unable to identify
another). This provides
the role of each partition
flexibility and clearly defines
the purpose of each partition
GPT creates a backup of the
MBR’s partitions information are
partition table information and
stored in the first sector of an
stores it at the end of the disk,
MBR disk. This sector has no
making it able to retrieve this
backup, hence, any damage to
Backup and information in the event of
this sector affects the whole disk,
Integrity losing the primary partition
such as losing the information
table. It also uses CRC32
about the bootable partition. It
Checksum (Cyclic Redundancy
also does not have any error
Check) for error detection to
checking mechanism
verify data integrity [2]

3- Critical Comparison Between MBR and GPT

3.1 Partitions Creation and How they are Accommodated
The comparison will be based on the following scenario: two USB sticks will be
used, the first one will be using MBR to create two partitions:
 Partition one will be formatted with NTFS file system, 8k cluster size, volume
label as Mohammed (according to the author’s first name), and a capacity of
906 MB (according to the last three digits of the author’s student ID:
18093906).
 Partition two will be formatted with exFAT file system, 64k cluster size,
volume label as Almalallah (according to the author’s first name), and a
capacity of 906 MB (according to the last three digits of the author’s student
ID: 18093906).
The same steps will be applied on the second USB stick, but with using GPT as
its partition table.

Page | 2
18093906 7COSC003W: CW1

For creating the partitions, the CLI (Command Line Interface) utility DISKPART
will be used.
3.1.1 MBR USB Stick

Figure 1: Using DISKPART to Create MBR Partitions

Page | 3
18093906 7COSC003W: CW1

Figure 2: Confirming Partitions Creation Using Disk Management

Page | 4
18093906 7COSC003W: CW1

3.1.2 GPT USB Stick

Figure 3: Using DISKPART to Create GPT Partitions

Page | 5
18093906 7COSC003W: CW1

Figure 4: Confirming Partitions Creation Using Disk Management

3.2 Partitions Order Management

3.2.1 MBR
The architecture of the MBR consists of a 512-byte initial sector at the beginning
of the disk that contains the boot information and partitions’ information, then
followed by the four partitions:

Figure 5: MBR Layout [1]

Page | 6
18093906 7COSC003W: CW1

The MBR’s initial sector contains 445 bytes boot code, then partitions information
with 16 bytes each, followed by a 2-byte MBR signature.

Figure 6: MBR’s Initial Sector [1]

The order in which the partitions are managed in MBR is determined by their
order of creation and their physical location on the disk. In the example shown
earlier, the first created partition which was Mohammed (A:) is the first one to be
stored physically in the disk and should be the active partition if it is required for
it to be bootable.
3.2.2 GPT
For GPT, the architecture is made up of a 512-byte protective MBR that prevents
data loss when GPT is used with older systems, a 512-byte GPT header that hold
general information about the disk, a 128-partition entry array with 128 bytes
each which hold information about each partition such as its size and GUID
partition type.

Page | 7
18093906 7COSC003W: CW1

Figure 7: GPT Layout [1]

Figure 8: GPT Header [1] Figure 9: GPT Single Entry [1]

Page | 8
18093906 7COSC003W: CW1

As shown in figure 8, offset 0x28 to 0x30 determines the first usable LBA
(Logical Block Addressing) where the first actual partition starts and can
store data. To better illustrate, the GPT header of the second USB stick will
be examined as an example using the dd command in Linux. The first 512
bytes for protective MBR are skipped to show only the GPT header.
Highlighted in yellow is first usable LBA:

Figure 10: Using dd and xxd to Extract the GPT Header

The bytes 22 00 00 00 00 00 00 00 are stored in little endian. By converting it

to big endian, the result will be 22. Now, converting this to decimal:
Decimal value = 160×2 + 161×2 = 2+32 = 34
This means that the first usable LBA starts at sector 34 on the disk. To
determine the exact offset, 34 must be multiplied by the sector size (512
bytes):
Offset of the first LBA = 34×512 = 17,408
When analyzing the USB stick to show the first LBA of the first partition
entry which is stored at offset 0x28 of the 128-bytes partition entry, it is
shown that the first LBA is stored in 8-byte long in little endian: 00 08 00 00
00 00 00 00. By converting this to big endian: 0x800.
First partition’s LBA = 160×0 + 161×0 + 162×8 = 0 + 0 + 2048 = 2,048

Page | 9
18093906 7COSC003W: CW1

The first partition starts at sector 2,048, which is offset 1,048,576

(2,048×512). This shows that the first actual partition starts at offset
1,048,576 not 17,408.
GPT’s partition order shows more flexibility, it does not necessarily store the
partitions according to the order of creation, and the first partition created is
not necessarily the first one stored physically on the disk.

Figure 11: Using dd and xxd to Extract the 1st Partition Entry

3.3 Partitions Size Information

3.3.1 MBR
MBR stores the information related to the partitions size in sector 0, which
is the initial sector that holds the general information about the disk. Each
partition is represented with 16 bytes starting from byte 446. According to
the used example in this document, the first MBR USB will be used which
has two partitions of the same size. Since both partitions are the same size,
the first partition will be examined. Using dd and xxd, the first partition’s
16-byte representation will be extracted to check bytes 12-15 that store the
partition’s size information.

Page | 10
18093906 7COSC003W: CW1

Figure 12: Using dd and xxd to Calculate the Size of the 1st MBR Partition

Bytes highlighted in yellow in figure 11 are bytes 12-15 that hold the information
about the partition size. These bytes are stored in little endian. The following steps
will be taken to calculate the size:
 Converting little endian to big endian: 00 50 1C 00  00 1C 50 00
 Converting hex to decimal: 160×0 + 161×0 + 162×0 + 163×5 + 164×C +
165×1 + 166×0 + 167×0 = 20,480 + 786,432 + 1,048,576 = 1,855,488
 The partition contains 1,855,488 sectors. Now, this should be multiplied
by the single sector size (512 bytes) to determine the size in bytes
 Partition size in bytes = 1,855,488×512 = 950,009,856 bytes
 To get the exact value in Megabytes, the value in bytes should be divided
by 220 (since computers only understand the binary system, and 220 is the
closest number to 106 which represents 1 Megabyte)
 The final actual size in Megabytes is 950,009,856 / 220 = 906 MB
Here, the process has resulted in showing the actual partition size which is the
same as what was allocated to the partition during the creation in 3.1.1
3.3.2 GPT
When it comes to GPT, partition size information is stored in the partition entry
table that consists of 128 entries with 128 bytes for each single partition. Each
entry identifies the starting and ending LBA of the partition (i.e., the first and last
sector the partition uses to store data). Using these values, the total number of
sectors can be calculated to determine the partition size.

Page | 11
18093906 7COSC003W: CW1

Since both partitions were created with the same size in the second GPT USB
stick, the first partition will be taken as an example to examine the first and last
LBA and calculate the partition size.
According to GPT’s architecture shown in figure 9, starting LBA is located
between offset 0x20 and 0x28, and ending LBA is located between 0x28 and
0x30.

Figure 13: Using dd and xxd to Calculate the Size of the 1st GPT Partition

Highlighted in yellow, the starting LBA is 00 08 00 00 00 00 00 00 and ending

LBA is FF 57 1C 00 00 00 00 00. To calculate the partition size, the following
steps should be taken:
 Both values are stores in little endian, first they must be converted to big
endian: starting LBA: 0x800, and ending LBA: 0x1C57FF
 Now, both values must be converted to decimal.
 Starting LBA in decimal: 160×0 + 161×0 + 162×8 = 2,048
 Ending LBA in decimal: 160×F + 161×F + 162×7 + 163×5 + 164×C +
165×1 = 15 + 240 + 1,792 + 20,480 + 786,432 + 1,048,576 = 1,857,535
 The first partition starts storing data from sector 2,048 to sector 1,857,535
(both are included)
 To determine the total number of sectors, the starting LBA must be
subtracted from the ending LBA
 Total number of sectors = 1,857,535 – 2,048 + 1 = 1,855,488
 A 1 was added to the formula as both 2,048 and 1,857,535 sectors are
parts of the partition and they both store data
 To calculate the partition size in bytes, the total number of sectors must
be multiplied by the size of a single partition (512 bytes)

Page | 12
18093906 7COSC003W: CW1

 Partition size in bytes = 1,855,488×512 = 950,009,856

 To get the exact value in Megabytes, the value in bytes should be divided
by 220 (since computers only understand the binary system, and 220 is the
closest number to 106 which represents 1 Megabyte)
 The final actual size in Megabytes is 950,009,856 / 220 = 906 MB
Here, the process has resulted in showing the actual partition size which is the
same as what was allocated to the partition during the creation in 3.1.2
3.4 Sector Size Information
Through analyzing both partitioning schemes and following their structure, it has
been found out that neither MBR, nor GPT store sector/cluster size information.
This happens at a lower level that is not concerned with the partition schemes
themselves.
3.5 File System Information
According to the example, for both MBR and GPT, the first partition has been
formatted with NTFS and the second partition has been formatted with exFAT.
Both disks will be examined to determine the way each partition scheme uses to
identify the partition types.
3.5.1 MBR
For MBR, partition type information is stored in sector 0 as part of the 16-byte
representation of each partition and according to the below table.

Figure 14: The 16-Byte MBR Partition

Byte 4 in each partition represents the file system installed on the partition. To
verify that MBR sector holds the same information about the file system already
created in 3.1, dd and xxd will be used to extract each of the partitions’ 16-byte.

Page | 13
18093906 7COSC003W: CW1

Figure 15: Using dd and xxd to Extract Partitions Information

Byte 4 for each partition is 0x07. This value is used for both NTFS and exFAT
[3], which proves that the first partition is formatted with NTFS file system and
the second one is formatted with exFAT.
3.5.2 GPT
After analyzing the GPT USB stick, it was found that GPT stores file system
information in the first sector of each partition (the sector that is the starting LBA
of the partition). This information starts from byte 3 and each byte represents a
character in ASCII.
The starting LBA of each partition is stored in the 128-byte partition entry table
of GPT. It was already calculated in 3.3.2 that the starting LBA of partition 1 is
0x800 which is 2,048 (first sector the partition uses to store data). To determine
the exact offset, this value must be multiplied by the single sector size (512
bytes). It appears that the first partition starts at 1,048,576. Using dd and xxd, the
first sector of the partition will be examined to verify the file system installed on
the partition.

Figure 16: Using dd and xxd to Extract the 1st Sector

Here it shows that bytes 3 to 6 represent the ASCII codes of the file system’s
name installed on the partition which is NTFS.
Regarding the second partition, the 128-byte partition entry will be examined to
determine the starting LBA of the partition, then dd will be used to extract the
first sector of the partition to verify the file system installed. The partition entry

Page | 14
18093906 7COSC003W: CW1

of the second partition starts at byte 1,152 (512 protective MBR + 512 GPT
header + 128 first partition entry).

Figure 17: Using dd and xxd to Extract the 2nd Partition Entry

The highlighted bytes represent the starting LBA of the partition: 00 58 1C 00

00 00 00 00. First, this value must be converted to decimal to get the exact
sector where this partition starts storing data, then to multiply it by the single
sector size to get the exact offset:
 First, the bytes are stored in little endian, the big endian would be: 1C 58
00
 Starting LBA in decimal = 160×0 + 161×0 + 162×8 + 163×5 + 164×C +
165×1 = 2,048 + 20,480 + 786,432 + 1,048,576 = 1,857,536
 The second partition starts at sector 1,857,536
 Offset = starting sector×single sector size = 1,857,536×512 =
951,058,432
After getting the offset, dd will be used now to extract the first sector of the
partition:

Figure 18: Using dd and xxd to Extract the 1st Sector of the 2nd Partition

Here it shows that ASCII representation of exFAT is stored from byte 3 to byte
7, and this verifies the file system installed on the partition in 3.1.2 which is
exFAT.

Page | 15
18093906 7COSC003W: CW1

3.6 Volume Name Information

For both MBR and GPT, volume name is not stored in the MBR’s initial sector,
nor in the GPT’s header or partition table entry. Volume name information is
related to the partitions themselves; it is stored within the storage sectors of
NTFS and exFAT.
To better elaborate, and since both partitions have the same characteristics for
MBR and GPT, GPT partitions will be taken as an example.
It was already determined that partition 1 starts at sector 2,048, which is offset
1,048,576 after multiplying it by the sector size (512 bytes). Using dd, the
partition itself has been examined to determine where it stores the volume name.
The result was that NTFS partition stores the volume name information 22
sectors away from the first sector. The below dd command was used to exactly
get this sector:
Sudo dd if=/dev/sdb bs=512 skip=2048 count=23

Figure 19: Using dd and xxd to Extract Volume Name

For the second exFAT partition, it was already determined in 3.5.2 that the
partition starts at offset 951,058,432. Therefore, the examination of the partition
started from this offset, and it was found that volume name information is stored
at offset 951,320,576 which is the Root Directory that holds the volume label
entry [4].

Page | 16
18093906 7COSC003W: CW1

Figure 20: Using dd and xxd to Extract Volume Name

3.7 Endian Representation

3.7.1 MBR
MBR is designed to store data solely in little endian format. That is, the LSB
(Least Significant Byte), is the one that is first stored physically on the disk. This
includes the initial sector of MBR, the partition entries and everything within the
MBR disk. For any examination of the hex bytes of MBR, they must first be
converted into big endian.
3.7.2 GPT
GPT uses little endian as well as it is the most common method of storing data in
computer systems. However, in certain places, GPT uses mixed endian, that is
when it comes to GUIDs such as the disk GUID and GPT header and partition
type GUIDs.
Windows basic data partition types are assigned the following GUID:
EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 [5]. To better understand how
GPT stores this value, the 16-byte GUID will be extracted from the GPT USB
stick from partition 1 to see how mixed endian is used by GPT.

Figure 21: Using dd and xxd to Extract Partition 1 Type GUID

Partition type GUIDs are stored in the first 16 bytes of the partition entry. GPT
stores the abovementioned value in this format: A2A0D0EB-E5B9-3344-87C0-
68B6B72699C7. This means that the first 3 dashed values: EBD0A0A2-B9E5-

Page | 17
18093906 7COSC003W: CW1

4433 are stored in little endian, while the next 2 are stored in big endian: 87C0-
68B6B72699C7.

4- Windows 10/11 Boot Process Security

Each computer, before it gets turned on and users can start using the GUI (Graphical
User Interface) of the computer, there is a certain process that must be done. During
this process, the computer must go through some steps where the hardware is checked
and verified, boot devices are detected, and operating system is loaded. This briefly
explained process is called the Boot Process, and what plays an essential and
paramount role in this process is something called the Firmware. This firmware is the
part that initializes the hardware and starts the operating system. The firmware can be
either BIOS or UEFI.
BIOS is a piece of code located in the motherboard that works in 16-bit mode and
used the MBR partitioning scheme. BIOS is older than UEFI and has many
limitations [6].
UEFI, on the other hand, was created to overcome the limitations that legacy BIOS
has, such as working in 32-bit or 64-bit modes, introducing the GPT partitioning
scheme, and providing more security [6].
Boot process can introduce security weaknesses to the computer and the data stored
in it and affects it from the perspective of the three security CIA (Confidentiality,
Integrity, and Availability) tenets.
Legacy BIOS that uses the traditional MBR does not provide security features, unlike
UEFI with GPT that introduced key critical security features to the boot process in
Windows, such as:
 Enhancing Availability through creating a backup of the partition table
information and GPT header which will be used in case of any damage to the
main ones, hence, ensuring the availability of the boot information.
 Ensuring Integrity through using the CRC32 error detection mechanism that
checks for modifications and corruptions. Using this mechanism, any
corruption that may lead to the initiation of an unauthorized bootloader can be
detected [2].
 If a computer is left unattended, someone can use an external media, such as a
bootable USB stick and change the boot order to boot from this USB and
introduce malware to the computer or access the file system which breaches
the Confidentiality of the data. UEFI came up with a powerful feature that
ensures only trusted software from the OEM (Original Equipment
Manufacturer) can be used to boot the computer. This feature is called Secure
Boot, and through it, the computer comes pre-equipped with signatures and
key databases that UEFI uses to check the validity of each piece of boot
software [7].

Page | 18
18093906 7COSC003W: CW1

 As a complementary step to Secure Boot, there is a feature that ensures a

secure and an untampered with boot process by recording and hashing each
step of the process, hence creating a chain of trust that is stored in hardware
chip called TMP (Trusted Platform Module). This feature is called Measured
Boot [8].
All these features make the whole boot process secure resulting in a more secure
Windows environment.

5- Conclusion
In conclusion, this document has shown that the GPT partitioning scheme has way
more advantages than the traditional MBR. GPT fits more into modern computer
systems and meets the necessity of having a proper storage scheme with greater
storage capacity and more partitions number. GPT also uses the CRC32 error
correction mechanism, ensure redundancy, and identifies the purpose and role of each
partition using multiple identifiers and attributes.
The technical differences and similarities between the two partitioning schemes were
also discussed:
 MBR works with the legacy BIOS, while GPT was introduced with UEFI
 MBR can only have 4 partitions up to 2 Terabytes each, while GPT can have
128 partitions with 9 Zettabytes each
 MBR stores partitions according to their order of creation, with the first
partition being the bootable one. GPT offers more flexibility as it does not
necessarily follow the order of creation
 MBR stores partitions’ size information in sector 0 by calculating the total
number of sectors each partition has, while in GPT the size is determined
through the partition entry table through subtracting the starting LBA from the
ending LBA for each partition
 MBR and GPT both do not store volume label information
 Both MBR and GPT do not store sector size information
 MBR stores the file system information within the partition entries in MBR’s
sector 0, while GPT stores this information in ASCII in the first sector of each
partition
 MBR uses little endian, unlike GPT that uses mixed endian
 Boot process has been made way more secure with the introduction of UEFI
and GPT
Today’s modern computer systems require knowledge about these two
partitioning schemes, and which one should be used to meet certain requirements.
This way, more informed decisions can be made to cope with the increasing
storage and security requirements.

Page | 19
18093906 7COSC003W: CW1

Reference List
[1] B. Nikkel, "Forensic analysis of GPT disks and GUID partition tables," Digital
Investigations, volume 6, issues 1-2, pages 39-47, 2009. doi:
https://doi.org/10.1016/j.diin.2009.07.001

[2] Unified Extensible Firmware Interface (UEFI) Specification, 2022. [Online]. Available:
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf

[3] A. Brouwer. "List of partition identifiers for PCs." Eindhoven University of Technology.
Accessed: Nov. 4, 2023. [Online]. Available:
https://www.win.tue.nl/~aeb/partitions/partition_types-1.html

[4] "exFAT Filesystem." ELM. Accessed: Nov. 4, 2023. [Online]. Available: http://elm-
chan.org/docs/exfat_e.html#dir_struct

[5] Microsoft. "PARTITION_INFORMATION_GPT structure (winioctl.h)." Microsoft.

Accessed: Nov. 5, 2023. [Online]. Available: https://learn.microsoft.com/en-
us/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt

[6] "UEFI vs. BIOS: How Do They Differ?." phoenixNAP. Accessed: Nov. 5, 2023. [Online].
Available: https://phoenixnap.com/kb/uefi-vs-bios

[7] Microsoft. "Secure boot." Microsoft. Accessed: Nov. 5, 2023. [Online]. Available:
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-
secure-boot

[8] Microsoft. "TPM fundamentals." Microsoft. Accessed: Nov. 5, 2023. [Online]. Available:
https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-
fundamentalst

Page | 20