Presentation is loading. Please wait.

Presentation is loading. Please wait.

Master Boot Record (MBR)

Published byThomasina Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Master Boot Record (MBR)"— Presentation transcript:

1 Master Boot Record (MBR)
Executable Code Machine Language Code Processor Specific Decodes Partition Table 446 bytes long Partition Table 4 Entries First Entry Starts at offset 0x01BE MBR “Signature” 0x55AA 2008 Richard T. Turley

2 Decoding a Partition Table Entry
Entry #3 starting at offset 0x01DE Starting Sector Offset 2 6 bits (use 6 LSB) Decode as bits 0xC1 = 1100|0001 6 LSB = = Sector #1 Starting Cylinder Offset 3 10 bits (use remaining 2 bits from sector as upper 2 bits) Decode as bits 0xFF = 1111|1111 10 bits = 11|1111|1111 = 0x3FF = Cylinder # 1023 Bootable? Offset 0 Value 0x80 means bootable Starting Head Offset 1 1 Byte 0x00 = 0 Starting Head File System Type Offset 4 Decode as table entry 0x0C = Win 95 Fat-32 LBA Number of Sectors Offset 12 4 Bytes Decode as Number (swap) 0x000E37BA = 931,770 # of sectors in this partition 477,066,240 bytes (*512) Ending Head 5 Relative Sectors Offset 8 4 Bytes Decode as Number (swap) 0x1D0D9045 = 487,428,165 # of sectors from start of drive to start of this partition Ending Sector 6 Ending Cylinder 7 2008 Richard T. Turley

3 Partition Boot Record (PBR)
BIOS Parameter Block Executable Code Machine Language Code Processor Specific Decodes BPB Searches for OS PBR “Signature” 0x55AA 2008 Richard T. Turley

4 Decoding a Partition Boot Record (BIOS Parameter Block – BPB)
Jump Instruction Offset 0x00 3 bytes OEM Name Offset 0x03 8 bytes Decode as ASCII “MSDOS5.0” Bytes Per Sector Offset 0x0B 2 bytes Decode as Number (Swap “endian”) 0x0200 = 512 Sectors Per Cluster Offset 0x0D 1 byte Decode as Number 0x08 = 8 8 * 512 = 4096 bytes/cluster Media Type Offset 0x15 1 byte Decode from Table 0xF8 means HD Heads Offset 0x1A 2 bytes Decode as Number (Swap “endian”) 0x00FF = 255 Sectors per Track Offset 0x18 2 bytes Decode as Number (Swap “endian”) 0x003F = 63 Total Sectors Offset 0x20 4 bytes Decode as Number (Swap “endian”) 0x000E37BA = 931,770 477,066,240 Bytes FAT Size (Sectors) Offset 0x24 4 bytes Decode as Number (Swap “endian”) 0x D = 909 465,408 Bytes (*512) 58,176 Entries (/4) 238,288,896 bytes addressed (*4096) File System Type Offset 0x52 8 bytes Decode as ASCII “FAT32 ” 2008 Richard T. Turley

5 FAT Root Directory Volume ID Directory Entry
Single Directory Entry for a file with a “short” filename. Multiple Directory Entries for a file with a “long” filename. There are 4 entries to contain the long file name, and 1 entry to contain the complete set of file information including the “short” file name. Designates Attribute Bits 0x08 = Volume Label 0x20 = Archive 0x0F = Long File Name 2008 Richard T. Turley

6 Decoding a Root Directory Entry (1)
Create Time (Coarse) Offset 0x0E 2 bytes Decode as Number (swap) 0x6E4D = 01101|110010|01101 1st 5 bits: 13 hour Next 6 bits: 50 min Last 5 bits: 13 => 26 seconds 13:50: fine above 13:50:27.02 DOS File Name Offset 0x00 8 bytes Decoded as ASCII “LONGY “ DOS File Extension Offset 0x08 3 bytes Decoded as ASCII “TXT “ Create Time (Fine) Offset 0x0D 1 byte Decode as Number 0x66 = 102 102 * 10 ms = 1.02 sec. Create Date Offset 0x10 2 bytes Decode as Number (swap) 0x3562 = |1011|00010 1st 7 bits: = year Next 4 bits: 11 month = November Last 5 bits: 2 day November 2, 2006 Last Access Date Offset 0x12 2 bytes See Create Date File Size Offset 0x1C 4 bytes Decode as Number (swap) 0x = 14,658 bytes Occupies 4 clusters (/4096) Has 4* = 1726 bytes of slack First Cluster Offset 0x14 (High Bytes) Offset 0x1A (Low Bytes) 4 bytes Decode as Number (swap) 0x = 3 start cluster 2008 Richard T. Turley

7 Decoding a Root Directory Entry (2)
Bit Meaning Read Only 1 Hidden 2 System 3 Volume Label 4 Subdirectory 5 Archive 6 Device 7 Unused Attributes Offset 0x0B 1 byte Decode as bits – 0th bit on right, 7th bit on left 0x0F means Long Filename entry 0x20 = 0010| Archive Last Modified Time Offset 0x16 2 bytes Decode as Number (swap) 0x6E1A = 01101|110000|11010 1st 5 bits: 13 hour Next 6 bits: 48 min Last 5 bits: 26 => 52 seconds 13:48:52 Last Modified Date Offset 0x18 2 bytes Decode as Number (swap) 0x3562 = |1011|00010 1st 7 bits: = year Next 4 bits: 11 month = November Last 5 bits: 2 day November 2, 2006 2008 Richard T. Turley

8 This file occupies 4 clusters or 4 * 4096 = 16,384 bytes on the drive.
Cluster 3 Entry First Cluster of File as identified in directory entry Offset 0x08 4 bytes Decoded as Number (swap) 0x = 4 next cluster FAT Table (FAT) Cluster 4 Entry Offset 0x08 4 bytes Decoded as Number (swap) 0x = 5 next cluster Cluster 5 Entry Offset 0x08 4 bytes Decoded as Number (swap) 0x = 6 next cluster Cluster 6 Entry Offset 0x08 4 bytes Decoded as Number (swap) 0x0FFFFFFF = EOF This file occupies 4 clusters or 4 * 4096 = 16,384 bytes on the drive. It is not always the case that a file will occupy sequential clusters. 2008 Richard T. Turley

Download ppt "Master Boot Record (MBR)"

Similar presentations

Chapter 12: File System Implementation

Chapter 12: File System Implementation
Chapter 4 : File Systems What is a file system?

Chapter 4 : File Systems What is a file system?
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.

BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.

Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics NTFS File System.

Computer Forensics NTFS File System.
In this assignment you are going to read floppy disk. You can run ‘mdir’ Unix function to see what output your program should give. FAT-12 MS-DOS file.

In this assignment you are going to read floppy disk. You can run ‘mdir’ Unix function to see what output your program should give. FAT-12 MS-DOS file.
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS 996. 4/26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.

11/13/01CS-550 Presentation - Overview of Microsoft disk operating system. 1 An Overview of Microsoft Disk Operating System.
Managing Your Hard Disk and Operating System 23,26 March 2004 2:30pm - 4:00pm.

Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –

Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Metadata Files Excellent reference:

Metadata Files Excellent reference:
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.

1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.
Tel : 69589584 同济大学软件学院 UEFI 与固件程序设计.

Tel : 同济大学软件学院 UEFI 与固件程序设计.
FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.

FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.

Similar presentations

Ads by Google