# $Boot

## Overview

**Evidence:** $Boot\
**Description:** Dump Raw Contents of $Boot File\
**Category:** DiskFilesystem\
**Platform:** windows\
**Short Name:** ntfsboot\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

The $Boot file contains the boot sector and bootstrap code for the NTFS volume. It includes critical volume parameters such as cluster size, MFT location, volume size, and other fundamental file system metadata. This file is essential for mounting and accessing NTFS volumes.

## Data Collected

This collector gathers structured data about $boot.

### $Boot Data

| Field        | Description        | Example         |
| ------------ | ------------------ | --------------- |
| `Type`       | File type          | Boot            |
| `Name`       | File name          | $Boot           |
| `SourcePath` | Original path      | C:$Boot         |
| `FilePath`   | Path in evidence   | NTFSFiles/$Boot |
| `FileSize`   | File size in bytes | 8192            |

## Collection Method

This collector uses kernel driver NTFS raw access to read $Boot from each fixed NTFS drive.

## Forensic Value

The boot sector provides essential information about NTFS volume configuration and can reveal volume tampering or corruption. Forensic analysis of the boot sector can identify disk geometry, partition parameters, and potential bootkits or other boot sector malware.