Definition
Master boot record (MBR) is a boot sector typically found in the first sector of a partitioned storage device. It is one of two disk structures used by Windows operating systems (the other structure is known as a GUID partition table or GPT).
Introduction
MBRs are found in the first 512-byte sector of a disk. The MBR contains information on how the logical partitions (and their file systems) are organized on a storage device. It also contains executable code that launches the operating system (known as boot code), and a master partition table.
The following table describes the components of the MBR
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 440 | Boot code used to launch the operating system | |
| 440 | 4 | Drive signature (hexadecimal string) | |
| 444 | 2 | 00 00 | |
| 446 | 64 | Master partition table | |
| 510 | 2 | Marker to notate the end of the MBR | 55 AA |
Examine the MBR
Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.
Related terms
GUID partition table (GPT)
References
Carrier, Brian. File system forensic analysis. Boston: Pearson Education (2005): 81-101.