Definition
Master boot record (MBR) is a boot sector typically found in the first sector of a partitioned storage device. It is one of two disk structures used by Windows operating systems (the other structure is known as a GUID partition table or GPT).
Introduction
MBRs are found in the first 512-byte sector of a disk. The MBR contains information on how the logical partitions (and their file systems) are organized on a storage device. It also contains executable code that launches the operating system (known as boot code), and a master partition table.
The following table describes the components of the MBR (offsets are shown from the start of the MBR):
Byte offset | Number of bytes | Description | Value |
---|---|---|---|
0 | 440 | Boot code used to launch the operating system | |
440 | 4 | Drive signature (hexadecimal string) | |
444 | 2 | 00 00 | |
446 | 64 | Master partition table (four 16-byte entries to describe partitions). | |
510 | 2 | Marker to notate the end of the MBR | 55 AA |
Partition tables
The MBR partition table is comprised of four 16-byte entries that define the size, type, and location of logical volumes on the disk. Partition tables identify the type and location of partitions on a disk and conform to a standard layout regardless of the operating system. Each 16-byte entry in the MBR partition table includes the following information:
- Boot indicator
- Starting CHS address
- Partition type ID
- Endinging CHS address
- Starting LBA address
- Number of sectors in the partition
The following table further describes the fields in each 16-byte entry in the partition table (offsets are shown from the start of the partition entry, not the start of the MBR):
Byte offset | Number of bytes | Description | Value |
---|---|---|---|
0 | 1 | Boot indicator - Indicates whether the volume is the active partition (i.e., bootable). 00 for "do not use for booting" and 80 for "active partition." | 00 or 80 |
Starting CHS address (3 bytes) | |||
1 | 1 | Starting head | |
2 | 6 bits | Starting sector - uses bits 0-5. Bits six and seven are used by the starting cylinder field | |
2 | 10 bits | Starting cylinder - uses 1 byte in addition to the upper two bits from the starting sector field to make up the cylinder value. The starting cylinder is a 10-bit number, with a maximum value of 1023 | |
4 | Partition type (file system ID) | ||
Ending CHS address (3 bytes) | |||
5 | 1 | Ending head | |
6 | 6 bits | Ending sector -uses bits 0-5. Bits six and seven are used by the ending cylinder field. | |
6 | 10 bits | Ending cylinder - uses 1 byte in addition to the upper two bits from the ending sector field to make up the cylinder value. The ending cylinder is a 10-bit number, with a maximum value of 1023 | |
8 | 4 | Relative sectors (LBA offset to the partition) - The offset from the beginning of the disk to the beginning of the logical volume. Used to locate partitions larger than 8.4 GB. | |
12 | 4 | Total sectors (length of the partition) - Total number of sectors in the logical volume |
Examine the MBR
Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.
Related terms
GUID partition table (GPT)
References
Carrier, Brian. File system forensic analysis. Boston: Pearson Education (2005): 81-101.
Howell, David. Master boot record and partition tables. https://github.com/davidhowell-tx/PS-WindowsForensics/wiki/Master-Boot-Record-and-Partition-Tables.
Microsoft. Master boot record. https://technet.microsoft.com./en-us/library/cc976786.aspx.
NTFS.com. Hard drive partition. partition table. http://www.ntfs.com/partition-table.htm.