...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
| Table of Contents |
|---|
Definition
...
Master boot record (MBR) is a boot sector typically found in the first sector of a partitioned storage device. It is one of two disk structures used by Windows operating systems (the other structure is known as a GUID partition table or GPT).
...
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 1 | Boot indicator - Indicates whether the volume is the active partition (i.e., bootable). 00 for "do not use for booting" and 80 for "active partition." | 00 or 80 |
| Starting CHS address (3 bytes) | |||
| 1 | 1 | Starting head | |
| 2 | 6 bits | Starting sector - uses bits 0-5. Bits six and seven are used by the starting cylinder field | |
| 2 | 10 bits | Starting cylinder - uses 1 byte in addition to the upper two bits from the starting sector field to make up the cylinder value. The starting cylinder is a 10-bit number, with a maximum value of 1023 | |
| 4 | Partition type (system ID) - defines the volume. In Windows NT, it also indicates that a partition is part of a volume that requires the use of the HKEY_LOCAL_MACHINE\SYSTEM\DISK Registry subkey. | ||
| Ending CHS address (3 bytes) | |||
| 5 | 1 | Ending head | |
| 6 | 6 bits | Ending sector -uses bits 0-5. Bits six and seven are used by the ending cylinder field. | |
| 6 | 10 bits | Ending cylinder - uses 1 byte in addition to the upper two bits from the ending sector field to make up the cylinder value. The ending cylinder is a 10-bit number, with a maximum value of 1023 | |
| 8 | 4 | Relative sectors (LBA offset to the partition) - The offset from the beginning of the disk to the beginning of the logical volume. Used to locate partitions larger than 8.4 GB. | |
| 12 | 4 | Total sectors (length of the partition) - Total number of sectors in the logical volume | |
Partition type codes
...
The partition type (i.e., system ID) field identifies the file system used to format the volume. Windows NT uses this field to determine what file system device drivers to load during startup. It also identifies the extended partition, if there is one defined. The following table explains the values that can appear in the system ID field:
| Value | File system | Addressing | Description |
|---|---|---|---|
| 00 | None | No file system or partition defined | |
| 01 | DOS / FAT12 | CHS | Primary partition or logical drive Fewer than 32,680 sectors in the volume (less than 16 MB) |
| 04 | DOS 3.0+ / FAT 16 | CHS | Primary partition or logical drive 32,680–65,535 sectors (between 16 and 33 MB) |
| 05 | Microsoft extended | CHS | |
| 06 | FAT 16 | CHS | |
| 07 | NTFS / HPFS | New technology file system (NTFS) or logical drive | |
| 0B | FAT32 | CHS | FAT32 partition or logical drive |
| 0C | FAT32 | LBA | |
| 0E | FAT16 | LBA | 32 MB to 2 GB |
| 0F | Microsoft extended | LBA |
Examine the MBR
...
Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.
...