File Systems: MBR and Volume Boot Record (Basic)

On a standard hard drive (with a sector size of 512), the first sector, Sector 0, is known at the MBR Master Boot Record.

The MBR contains 4 entries about the locations and type of the logical partitions (e.g NTFS, FAT) on that physical hard drive, one of which is “active” and small piece of code (446 bytes) called the primary bootloader. The bootloader is 446 bytes long and the information describing the partitions is 64 bytes long (total 510 bytes). The final two bytes of the first sector, sometimes known as the “magic number”, is the hex value of  55AA.

MBR tells the computer the location and nature  of the first active partition, which is commonly at Sector 63. A detailed description of the MBR, including its offsets is available here.

The first sector in a partition – which the MBR points to – is known as the volume boot sector, boot block, volume boot record or by some companies as the “BPB”, and contains information about the partition, including:

  • Block size
  • Size of the partition (size in blocks)
  • The volume serial number
  • The type of partition (e.g NTFS/FAT, etc)
  • Where the MFT is (if its an NTFS)
  • Where the MFT Mirror is (if its an NTFS)
  • Location of the NTLDR or NTLoader (discussed later) – normally be straight after at sector 64.

The last sector of the partition is a mirror of the volume boot sector, and can be used for data recovery purposes.

As Sector 1 to Sector 62 are not used, they can often by blank, however manufactures like HP and Dell sometimes write information about the machine in there, e.g serial numbers, model, etc. These could, in theory, be relevant forensic artifacts.

A good resource on the MFT, and NTFS in general is book – File System Forensic Analysis


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: