File Systems: MBR (NTFS)

Attached is the MBR, Master Boot Record, taken from a 500 GB drive, formatted in NTFS, with a single partition, running Windows XP

The first 440 bytes, from offset 0 to offset 439, contain the Maser Bootstrap Loader Code. In this case starting 33 C0 BE.

At offset 440, for 4 a length of 4 bytes, is the Windows Disk signature. In this example it is 2AD42AD4. This is unique for a drive, and can be considered to be a forensic artifacts.

At offset 446, for a length of 1, is a value which states if the partition (whose location is given shortly) is active or not, in this case the value is set to 80” which means it is active.

At offset 450, for a length of 1, a the partition type indicator. i.e it tells the computer if it should expect an NTFS partition or FAT32, or the like. Each partition type has its own unique number, in this case it is 07

At offset 454, for a length of 1, is a byte which states the number of sectors preceding the start of the partition 1, i.e the location of the first partition. In this example (and most “standard” drives) the value is 3F, which is 63 in decimal. This means that the partition starts at sector 63 (as the first sector is 0).

At offset 458, for a length of 4, is the size of the first partition, in sectors. In this example it is 80CE373A. This needs to be converted, (hex value is in little endian and needs to be converted to big endian). Giving the hex value of 3A37CE80, this gives the decimal value of 976735872. This is the size in sectors of the first partition, as each partition is 512, the total size of the partition is 512*976735872 = 500,088,766,464 bytes, or 465 GB

Example of MBR with colour coding

Tags: ,
Advertisements

6 Responses to “File Systems: MBR (NTFS)”

  1. File Systems: MBR and Volume Boot Record (Basic) | ESI Says:

    […] a standard hard drive (with a sector size of 512), the first sector, Sector 0, is known at the MBR – Master Boot […]

  2. MBR (NTFS) Partition Table Entry | ESI Says:

    […] the previous example we demonstrated an MBR from a drive that only had one partition, so where is the […]

  3. MBR - EnCase Video | ESI Says:

    […] Following on from the previous articles on the MBR (MBR Partition Tables and MBR NTFS ) […]

  4. MBR (NTFS) Partition Table Entry « Data - Where is it? Says:

    […] – Where is it? Where is your data? Who collects, controls, and searches it? « File Systems: MBR (NTFS) Video: The MBR […]

  5. File Systems: MBR and Volume Boot Record (Basic) « Data – Where is it? Says:

    […] On a standard hard drive (with a sector size of 512), the first sector, Sector 0, is known at the MBR – Master Boot […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: