$Boot

Overview

Evidence: $Boot Description: Dump Raw Contents of $Boot File Category: DiskFilesystem Platform: windows Short Name: ntfsboot Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The $Boot file contains the boot sector and bootstrap code for the NTFS volume. It includes critical volume parameters such as cluster size, MFT location, volume size, and other fundamental file system metadata. This file is essential for mounting and accessing NTFS volumes.

Data Collected

This collector gathers structured data about $boot.

$Boot Data

Field

Description

Example

Type

File type

Boot

Name

File name

$Boot

SourcePath

Original path

C:$Boot

FilePath

Path in evidence

NTFSFiles/$Boot

FileSize

File size in bytes

8192

Collection Method

This collector uses kernel driver NTFS raw access to read $Boot from each fixed NTFS drive.

Forensic Value

The boot sector provides essential information about NTFS volume configuration and can reveal volume tampering or corruption. Forensic analysis of the boot sector can identify disk geometry, partition parameters, and potential bootkits or other boot sector malware.

PreviousWindows Collections Next$LogFile

Last updated 4 days ago

Was this helpful?