Appendix E: NTFS Boot Sector Layout

LOCATION

# OF BYTES

IDENTIFIER

NOTES

00

3

Jumpcode

Contains the jumpshort instruction (1 byte), the offset of the bootstrap code (1 byte), and a NOP.

03

8

OEM name

The name of the OS that formatted the partition. Can be used to determine legacy OS presence.

0B

2

# of bytes per sector

The total number of bytes each sector holds.

0D

1

# of sectors per cluster

The total number of sectors each cluster holds.

0E

2

# of reserved sectors

The number of sectors reserved for the boot record.

10

3

Always 0

Legacy FAT area not used by NTFS.

13

2

N/A

Not currently used.

15

1

Media type

Always F8 for a hard drive.

16

2

Always 0

Legacy FAT area not used by NTFS.

18

2

# of sectors per track

Total number of sectors in each track.

1A

2

# of heads

Total number of drive heads.

1C

4

# of hidden sectors

The number of sectors in the MBR until the boot record begins.

20

4

N/A

Not used.

24

4

N/A

Not used.

28

8

Total sectors

Total number of sectors.

30

8

Logical cluster number for the file $MFT

Starting cluster of the $MFT file.

38

8

Logical cluster number for the file $MFTMirr

Starting cluster of the $MFTMirr file.

40

4

# of clusters per file record segment

Number of clusters in each file record segment.

44

4

# of clusters per index block

Number of clusters in each index block.

48

8

Volume serial number

A unique number assigned to a partition at format time. Both Quick and Full formats reassign a serial number.

50

4

Checksum

Not used.

54

426

Executable bootstrap

Starts the first file to boot the system itself.

01 FE

2

Executable signature

Added as 55 AA when formatted. Otherwise, the operating system will not be registered by the BIOS as present.



Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net