MBR

Overview

Evidence: MBR Description: Collect Master Boot Record Category: DiskFilesystem Platform: windows Short Name: mbr Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Master Boot Record is the first 512 bytes of a disk and contains the partition table and boot code. The MBR is critical for system boot and can be targeted by bootkits and other low-level malware.

MBR analysis can detect bootkit infections, partition manipulation, and disk tampering.

Data Collected

This collector gathers structured data about mbr.

MBR Data

Field

Description

Example

Type

Boot record type

MBR

StartOffset

Starting offset in file

EndOffset

Ending offset in file

512

FilePath

Path to saved boot record

Disk/MBR.bin

Collection Method

This collector:

Uses driver IOCTL to read the first 512 bytes of the physical disk
Saves the raw MBR to a binary file
Records offset information

Forensic Value

MBR analysis is critical for detecting bootkits and disk-level threats. Investigators use this data to detect bootkit infections, analyze partition table modifications, identify malicious boot code, verify boot sector integrity, and detect disk manipulation.

PreviousMap Network Drive MRU NextMcAfee Logs

Last updated 3 days ago

Was this helpful?