Master Boot Record (MBR) A Forensic Perspective Villanova - - PowerPoint PPT Presentation

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

Master Boot Record (MBR) 


A Forensic Perspective

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

• Occupies the first 512-byte sector

– Boot Code

• Assembly Language

– Disk Signature – Partition Table

• Four Possible Entries (Primary / Extended)

– Each entry had the following » Starting LBA address » Number of sectors in partition » Type of partition » Flags – Signature Value

Master Boot Record

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

MBR Partition Table

Byte Range Description 000-439 Boot Code 440-443 Disk Signature 446-461 Partition Entry #1 462-477 Partition Entry #2 478-493 Partition Entry #3 494-509 Partition Entry #4 510-511 Signature Value (0xAA55)

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

000-439 Boot Code

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

440-443 Disk Signature

• Byte 440-443= 0x8bde8afa

– Who Cares?

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

446-461 MBR Partition Entry

Partition Types = www.datarecovery.com/hexcodes.asp

Byte Range Description Example 00-00 Bootable Flag (0x80 = Active) 0x80 = Active & Bootable 01-03 Starting CHS Address 04-04 Partition Type 0x07 = NTFS 05-07 Ending CHS Address 08-11 Starting LBA Address 0x0800 = 2,048 (Sector) 12-15 Size in Sectors 0x077FF000 = 125,825,024 Sectors