$Boot

Overview

Evidence: $Boot Description: Dump Raw Contents of $Boot File Category: NTFS Platform: Windows Short Name: ntfsboot Is Parsed: No - Raw boot sector Sent to Investigation Hub: Yes Collect File(s): No

Background

The $Boot file contains the NTFS boot sector (also called the Volume Boot Record or VBR). It includes the BIOS Parameter Block (BPB) with file system parameters and the bootstrap code that loads the operating system.

The boot sector can be analyzed for bootkit detection and to understand NTFS volume structure.

Data Collected

Field

Description

Example

Type

File type

Boot

Name

File name

$Boot

SourcePath

Original path

C:$Boot

FilePath

Path in evidence

NTFSFiles/$Boot

FileSize

File size in bytes

8192

Collection Method

This collector uses kernel driver to read the raw $Boot file from each fixed NTFS drive.

Usage

Boot sector analysis helps verify file system integrity and detect boot-level threats. Investigators use this data to detect NTFS bootkits, analyze file system parameters, verify volume structure, and validate NTFS configuration.

Known Limitations

Only available on NTFS volumes
Requires driver access
Small file (typically 8KB)
Requires NTFS knowledge to interpret

Notes

The $Boot file contains critical NTFS parameters including cluster size, MFT location, and volume serial number. Anomalies in the boot sector can indicate bootkit infection.

PreviousWindows Collections Next$LogFile

Last updated 47 minutes ago

Was this helpful?