...
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 440 | Boot code used to launch the operating system | |
| 440 | 4 | Drive signature (hexadecimal string) | |
| 444 | 2 | 00 00 | |
| 446 | 64 | Master partition table | |
| 510 | 2 | Marker to notate the end of the MBR | 55 AA |
The partition table is comprised of four 16-byte entries that define the size, type, and location of logical volumes on the device. Each entry contains:
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 1 | Boot indicator - Indicates whether the volume is the active partition (i.e., bootable). 00 for "do not use for booting" and 80 for "active partition." | 00 or 80 |
| 1 |
Examine the MBR
Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.
...
Carrier, Brian. File system forensic analysis. Boston: Pearson Education (2005): 81-101.
Howell, David. Master boot record and partition tables. https://github.com/davidhowell-tx/PS-WindowsForensics/wiki/Master-Boot-Record-and-Partition-Tables.
Microsoft. Master boot record. https://technet.microsoft.com/en-us/library/cc976786.aspx.