Disk Drive Structures
This exercise will allow you to examine master boot records (MBRs) and boot sectors (B/Ss) in some detail. The process will include finding the location of the MBR and B/S with a hex editor, exporting the MBR and B/S to a file, and examining those structures with a parser that will tell you byte-by-byte what everything means.
Note that all of the Perl programs here use the -h switch to display the help file and use the -t switch to display the parsing template (i.e., the layout of the subject file).
This exercise is written for Windows file systems. The steps could be replicated on Mac or Linux systems, but the steps as shown are Windows-specific.
Two programs will be needed for this exercise, one for parsing the MBR and the other for parsing the B/S. They should be located in the Resources folder of this exercise.
> mbrparser_v2.1
> bsparser _v3.1
In this exercise, you will:
1. Examine, locate, and export MBR(s) and B/S(s) using a hex editor and parser.
Step |
Action |
1 |
In this section, we will open up the MBR and boot sector on a hard drive. |
2 |
Start WinHex on your computer. Go to the Tools, Open Disk... pull down menu. In the Edit Disk dialogue box, select your system's hard drive under the Physical Media block; it should be labeled HD0. Click the OK button. |
3 |
There are a number of items of interest that you should note before continuing. First, you should see the line that says Partition 2 (C:) in the upper pane. That is a clue as to what you will see later on; namely, a single NTFS partition.
|
4 |
In order to more closely examine Sector 0 of this disk, we need to export it to it's own file. To do that, we will select the entire sector as a single block and then copy the block into a file. Recall that a sector is 512 bytes long, numbered 0-511 (0x000-0x1FF). Click anywhere in the area of the sector's contents, then select the Edit, Copy Sector, Into New File pull down menu to save the file to the exercise’s Resources folder. |
5 |
The following display should appear, confirming that the entire sector has been copied into the file of your choice. You won't need this window again, so it can be closed. |
Step |
Action |
6 |
Open a DOS Command Prompt and navigate to the mbrparser program. Obtain the MBR parser program help file by entering the following command (adjust as necessary for your system): perl mbrparser.pl -h <![if !vml]><![endif]> |
7 |
Display the contents of the disk drive's MBR file that you just exported, using the -i switch. <![if !vml]><![endif]> |
8 |
Pay particular attention to the Partition Tables. <![if !vml]><![endif]> In this example, note that there are two partitions. How many partitions did you find on your hard drive? What is the make and model of your computer? What is the operating system? Partition #1 is the active partition, meaning that it is the bootable partition. Which partition on your drive is active? Partition #1 is employs the NTFS file system. What file system(s) is/are associated with your disk's partitions? Partition #1 -- the active partition -- starts at logical block address #2,048 and occupies 1,024,000 sectors. What is/are the starting address(es) and size(s) of the partition(s) on your drive? |
9 |
In the example here, we see that Partition #1 starts at sector 2,048 (your starting sector might be different). Go back to WinHex and go to logical sector 2,048 on the hard drive by using the Navigation, Go To Sector pulldown menu. <![if !vml]><![endif]> |
10 |
Click anywhere in the area of the sector's contents, then export this sector into a file using the Edit, Copy Sector, Into New File pull down menu and save the file in the exercise’s Resources folder. |
11 |
The following display should appear, confirming that the entire sector has been copied into the file of your choice. You won't need this window again, so it can be closed. |
Step |
Action |
12 |
Now navigate to the bsparser program and view the Boot Sector parser program help file by entering the following command (adjust as necessary for your system): perl bsparser.pl -h <![if !vml]><![endif]> |
13 |
Display the contents of the partition's boot sector file that you just exported. Note that you will need to indicate the type of file system, using one of the following program switches: -f (for FAT 12 or FAT 16), -f32 (for FAT32), or -n (for NTFS). If you don't know the file system, just choose each switch in turn and see what results seem to make sense. In this particular example, NTFS seems to make the most sense based upon the information that was in the partition table. (Note that I also used the -s switch here to suppress display of the boot code, but also try this without the -s switch.) <![if !vml]><![endif]> For each partition on your hard drive: <![if !supportLists]> > <![endif]> What is the partition's file system? <![if !supportLists]> > <![endif]> What is the sector size (in bytes)? <![if !supportLists]> > <![endif]> What is the cluster size (in bytes)? <![if !supportLists]> > <![endif]> If NTFS, what is the size of an MFT entry (in bytes)? <![if !supportLists]> > <![endif]> If FAT, what is the volume label? How many FATs are there and how large are they (in bytes)? |
Step |
Action |
1 |
Here are a few more things to try to gain some additional familiarity with MBRs and boot sectors. |
2 |
If you haven't done this already, run bsparser against your partition's boot sector file and use the FAT, FAT32, and NTFS switches. You should observe that the results make sense for only one of the file system types; i.e., there's really no confusing which output is correct. |
3 |
Locate the set of sample MBR and Boot Sector files in the MBR_BS. Take a look at the results using the appropriate parser program. NOTE that Volume Boot Record (VBR) is a synonym for Boot Sector! Note any comments and observations on the Discussion board. |