Attached is the MBR, Master Boot Record, taken from a 500 GB drive, formatted in NTFS, with a single partition, running Windows XP
The first 440 bytes, from offset 0 to offset 439, contain the Maser Bootstrap Loader Code. In this case starting 33 C0 BE.
At offset 440, for 4 a length of 4 bytes, is the Windows Disk signature. In this example it is 2AD42AD4. This is unique for a drive, and can be considered to be a forensic artifacts.
At offset 446, for a length of 1, is a value which states if the partition (whose location is given shortly) is active or not, in this case the value is set to “80” which means it is active.
At offset 450, for a length of 1, a the partition type indicator. i.e it tells the computer if it should expect an NTFS partition or FAT32, or the like. Each partition type has its own unique number, in this case it is 07
At offset 454, for a length of 1, is a byte which states the number of sectors preceding the start of the partition 1, i.e the location of the first partition. In this example (and most “standard” drives) the value is 3F, which is 63 in decimal. This means that the partition starts at sector 63 (as the first sector is 0).
At offset 458, for a length of 4, is the size of the first partition, in sectors. In this example it is 80CE373A. This needs to be converted, (hex value is in little endian and needs to be converted to big endian). Giving the hex value of 3A37CE80, this gives the decimal value of 976735872. This is the size in sectors of the first partition, as each partition is 512, the total size of the partition is 512*976735872 = 500,088,766,464 bytes, or 465 GB