A) Partition Boot Sector
When a hard disk is formatted, a Master Boot Code (MBR) is created. MBR contain executable code called “Master boot code” that will be loaded into memory by system BIOS. This code scans the partition table that consists in MBR as well to find which partition is active . After find the active partition or bootable partition in boot sector, it is load to memory . Figure 4 illustrated boot sector section on NTFS Volume.
| Byte Offset | Field Length | Field Name |
| 0x00 | 3 bytes | Jump Instruction |
| 0x03 | 8 bytes | OEM ID |
| 0x0B | 25 bytes | BPB |
| 0x24 | 48 bytes | BPB Extended |
| 0x54 | 42 bytes | Bootstrap code |
| 0x01FE | 2 bytes | End of sector marker |
BPB & Extended BPB Components
Byte offset | Field Length | Field Name |
0x0B | 2 bytes | Bytes Per Sector |
0x0D | 1 byte | Sector Per Cluster |
0x0E | 2 bytes | Reserved Cluster |
0x10 | 3 bytes | Must be 0 |
0x13 | 2 bytes | Must be 0 |
0x15 | 1 byte | BPB Media Descriptor |
0x16 | 2 bytes | Must be 0 |
0x18 | 2 bytes | Not used by NTFS |
0x1A | 2 bytes | Not used by NTFS |
0x1C | 4 bytes | Not used by NTFS |
0x20 | 4 bytes | Must be 0 |
0x24 | 4 bytes | Not used by NTFS |
0x28 | 8 bytes | Total sector |
0x30 | 8 bytes | Logical cluster number for the file $MFT |
0x38 | 8 bytes | BPB Extended Logical cluster number for the file MFTMRR |
0x40 | 1 byte | Cluster per MFT record |
0x41 | 3 bytes | Not used by NTFS |
0x44 | 1 byte | Cluster per Index buffer |
0x45 | 3 bytes | Not used NTFS |
0x48 | 8 bytes | Volume serial number |
0x50 | 4 bytes | Not used by NTFS |
Figure 4 Boot sector section on NTFS
On NTFS volume, First 16 sectors are allocates for the boot sector and bootstrap code . When boot sector loads into memory, Master Boot Record (MBR) transfers the CPU execution to the boot sector which executes the CPU instruction that stored as ‘Jump Instruction' in the boot sector. After that, read OEM ID that identifies the name and version number of operating system consists in NTFS volume. Following the OEM ID is the BPB which are information about:
- Bytes per Sector (size of sector in the hard disk)
- Sector per Cluster (Amount of sectors in a cluster)
- Media Descriptor (info about type of media being used)
The data field in BPB forms an extended BPB which provides information such as:
- Total sector (total sector in the hard disk)
- Logical Cluster number for $MFT file (Identify MFT location in the volume)
- Logical Cluster number for $MFTMRR file (Identify MFTMRR location in the volume)
- Cluster per MFT record (The size of each record for each file or folder that created on NTFS volume)
- Volume serial number
RSS Feed (xml)
No comments:
Post a Comment