Forensics: What is the MBR?

The MBR is the Master Boot Record.  This is a very important peice of code the exists on the first sector (Sector 0) of most standard  hard drives, and certainly all Windows based computers and is 1 sector (512 bytes) long. The last two bytes of the MBR are  55AA (in hex) this is sometimes known as the “magic number”

The MBR tells the computer how to boot, what type of partitions are on the hard drive, how big they are  and were to find them. The code  within the MBR, which tells it how to boot,  is called the “bootloader”. The bootloader is 446 bytes long.

Within the MBR, at offset 440 for 4 bytes, is the Windows Disk Signature.  This value is unique for the disk, and can be a useful forensic artefact. It is this value that is stored in the resigtry, under “Mounted Devices”, and can be used to match a hard drive to a computer, even if the data has been deleted/wiped.

Like most forensic artifacts the MBR consits of a series of offsets, these are described in this article, including a working example of an MBR.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: