Master Boot Record (MBR)

Overview

Evidence: MBR Description: Collect Master Boot Record Category: Disk Platform: Windows Short Name: mbr Is Parsed: No - Raw 512-byte boot sector Sent to Investigation Hub: Yes Collect File(s): No

Background

The Master Boot Record is the first 512 bytes of a disk and contains the partition table and boot code. The MBR is critical for system boot and can be targeted by bootkits and other low-level malware.

MBR analysis can detect bootkit infections, partition manipulation, and disk tampering.

Data Collected

Field

Description

Example

Type

Boot record type

MBR

StartOffset

Starting offset in file

EndOffset

Ending offset in file

512

FilePath

Path to saved boot record

Disk/MBR.bin

Collection Method

This collector:

Uses driver IOCTL to read the first 512 bytes of the physical disk
Saves the raw MBR to a binary file
Records offset information

Usage

MBR analysis is critical for detecting bootkits and disk-level threats. Investigators use this data to detect bootkit infections, analyze partition table modifications, identify malicious boot code, verify boot sector integrity, and detect disk manipulation.

Known Limitations

Only captures MBR (not GPT partition tables)
Requires driver access to physical disk
Single snapshot in time

Notes

The MBR contains both the partition table (last 66 bytes) and boot code (first 446 bytes). Anomalous boot code can indicate bootkit infection. Tools like bootsect or specialized MBR analyzers can examine the structure.

PreviousMap Network Drive MRU NextNTDS.dit

Last updated 45 minutes ago

Was this helpful?