Forensics: What is $Boot?

What is $Boot?

The $Boot is known as the Volume Boot Record, or Volume Boot Sector, or Parition Boot Sector. It stores a vareity of important informaiton, including:

  • Size of the partition
  • location of the MFT for the partition
  • location of the MFT mirror for the parition

$Boot is the first file in a volume, and for the first parition on a drive this will normally reside at sector 63. The exact location of the $Boot file is described in the MBR (Master Boot Record) which is on sector 0 (zero) of a hard drive.

A video showing a manual investigation of the $Boot, using EnCase, is featured below:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: