Definition
Master boot record (MBR) is a boot sector typically found in the first sector of a partitioned storage device. It is one of two disk structures used by Windows operating systems (the other structure is known as a GUID partition table or GPT).
Introduction
MBRs are found in the first 512-byte sector of a disk. The MBR contains information on how the logical partitions (and their file systems) are organized on a storage device. It also contains executable code that launches the operating system (known as boot code), and a master partition table.
The following table describes the components of the MBR
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 440 | Boot code used to launch the operating system | |
| 440 | 4 | Drive signature (hexadecimal string) | |
| 444 | 2 | 00 00 | |
| 446 | 64 | Master partition table | |
| 510 | 2 | Marker to notate the end of the MBR | 55 AA |
The partition table is comprised of four 16-byte entries that define the size, type, and location of logical volumes on the device. Each entry contains:
| Byte offset | Number of bytes | Description | Value |
|---|---|---|---|
| 0 | 1 | Boot indicator - Indicates whether the volume is the active partition (i.e., bootable). 00 for "do not use for booting" and 80 for "active partition." | 00 or 80 |
| 1 |
Examine the MBR
Forensic tools like FTK Imager allow archivists to examine the MBR. The MBR is displayed in the Viewer Pane when the highest level of the evidence item is selected in the Evidence Tree.
Related terms
GUID partition table (GPT)
References
Carrier, Brian. File system forensic analysis. Boston: Pearson Education (2005): 81-101.
Howell, David. Master boot record and partition tables. https://github.com/davidhowell-tx/PS-WindowsForensics/wiki/Master-Boot-Record-and-Partition-Tables.
Microsoft. Master boot record. https://technet.microsoft.com/en-us/library/cc976786.aspx.