Evidence: $Boot
Description: Dump Raw Contents of $Boot File
Category: DiskFilesystem
Platform: windows
Short Name: ntfsboot
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
The $Boot file contains the boot sector and bootstrap code for the NTFS volume. It includes critical volume parameters such as cluster size, MFT location, volume size, and other fundamental file system metadata. This file is essential for mounting and accessing NTFS volumes.
Data Collected
This collector gathers structured data about $boot.
$Boot Data
Field
Description
Example
Type
File type
Boot
Name
File name
$Boot
SourcePath
Original path
C:$Boot
FilePath
Path in evidence
NTFSFiles/$Boot
FileSize
File size in bytes
8192
Collection Method
This collector uses kernel driver NTFS raw access to read $Boot from each fixed NTFS drive.
Forensic Value
The boot sector provides essential information about NTFS volume configuration and can reveal volume tampering or corruption. Forensic analysis of the boot sector can identify disk geometry, partition parameters, and potential bootkits or other boot sector malware.
