Disk Drive Structures

This exercise will allow you to examine master boot records (MBRs) and boot sectors (B/Ss) in some detail. The process will include finding the location of the MBR and B/S with a hex editor, exporting the MBR and B/S to a file, and examining those structures with a parser that will tell you byte-by-byte what everything means.

Note that all of the Perl programs here use the -h switch to display the help file and use the -t switch to display the parsing template (i.e., the layout of the subject file).

This exercise is written for Windows file systems. The steps could be replicated on Mac or Linux systems, but the steps as shown are Windows-specific.

Two programs will be needed for this exercise, one for parsing the MBR and the other for parsing the B/S. They should be located in the Resources folder of this exercise.

> mbrparser_v2.1

> bsparser _v3.1

In this exercise, you will:

1. Examine, locate, and export MBR(s) and B/S(s) using a hex editor and parser.

Step

Action

1

In this section, we will open up the MBR and boot sector on a hard drive.

2

Start WinHex on your computer. Go to the Tools, Open Disk... pull down menu. In the Edit Disk dialogue box, select your system's hard drive under the Physical Media block; it should be labeled HD0. Click the OK button.

image001  

3

There are a number of items of interest that you should note before continuing.

First, you should see the line that says Partition 2 (C:) in the upper pane. That is a clue as to what you will see later on; namely, a single NTFS partition.

 image003 



Second, the Offset column represents the byte offset from the beginning of the file or disk of the first byte on the line in the display. The first byte of the first line starts at offset 0x0000; the first byte of the second line starts at 0x0010; etc. Note that you can toggle the offset display between hex (base 16) and decimal (base 10) by left-clicking anywhere in the offset column. Note further that the display here is 16 bytes wide, numbered 0-15 (0x0-0xF). Thus, the first line of the display is bytes 0-15 (0x00-0x0F), the second line is bytes 16-31 (0x10-0x1F), etc.

 

  image007   

 

 







Finally, note the label Sector 0 of ... in the lower-left portion of the screen. This tells you what physical sector you are currently looking at. Since this is Sector 0, you know that you are looking at a Master Boot Record or Boot Sector. Since this is a bootable hard drive, MBR is the best guess.

 image009  

4

In order to more closely examine Sector 0 of this disk, we need to export it to it's own file. To do that, we will select the entire sector as a single block and then copy the block into a file. Recall that a sector is 512 bytes long, numbered 0-511 (0x000-0x1FF). Click anywhere in the area of the sector's contents, then select the Edit, Copy Sector, Into New File pull down menu to save the file to the exercise’s Resources folder.

5

The following display should appear, confirming that the entire sector has been copied into the file of your choice. You won't need this window again, so it can be closed.

 

Step

Action

6

Open a DOS Command Prompt and navigate to the mbrparser program. Obtain the MBR parser program help file by entering the following command (adjust as necessary for your system):

perl mbrparser.pl -h

<![if !vml]><![endif]>

7

Display the contents of the disk drive's MBR file that you just exported, using the -i switch.

<![if !vml]><![endif]>

8

Pay particular attention to the Partition Tables.

<![if !vml]><![endif]>

In this example, note that there are two partitions. How many partitions did you find on your hard drive? What is the make and model of your computer? What is the operating system?

Partition #1 is the active partition, meaning that it is the bootable partition. Which partition on your drive is active?

Partition #1 is employs the NTFS file system. What file system(s) is/are associated with your disk's partitions?

Partition #1 -- the active partition -- starts at logical block address #2,048 and occupies 1,024,000 sectors. What is/are the starting address(es) and size(s) of the partition(s) on your drive?

9

In the example here, we see that Partition #1 starts at sector 2,048 (your starting sector might be different). Go back to WinHex and go to logical sector 2,048 on the hard drive by using the Navigation, Go To Sector pulldown menu.

<![if !vml]><![endif]>

10

Click anywhere in the area of the sector's contents, then export this sector into a file using the Edit, Copy Sector, Into New File pull down menu and save the file in the exercise’s Resources folder.

11

The following display should appear, confirming that the entire sector has been copied into the file of your choice. You won't need this window again, so it can be closed.

 

Step

Action

12

Now navigate to the bsparser program and view the Boot Sector parser program help file by entering the following command (adjust as necessary for your system):

perl bsparser.pl -h

<![if !vml]><![endif]>

13

Display the contents of the partition's boot sector file that you just exported. Note that you will need to indicate the type of file system, using one of the following program switches: -f (for FAT 12 or FAT 16), -f32 (for FAT32), or -n (for NTFS). If you don't know the file system, just choose each switch in turn and see what results seem to make sense. In this particular example, NTFS seems to make the most sense based upon the information that was in the partition table. (Note that I also used the -s switch here to suppress display of the boot code, but also try this without the -s switch.)

<![if !vml]><![endif]>

For each partition on your hard drive:

<![if !supportLists]> >  <![endif]> What is the partition's file system?

<![if !supportLists]> >  <![endif]> What is the sector size (in bytes)?

<![if !supportLists]> >  <![endif]> What is the cluster size (in bytes)?

<![if !supportLists]> >  <![endif]> If NTFS, what is the size of an MFT entry (in bytes)?

<![if !supportLists]> >  <![endif]> If FAT, what is the volume label? How many FATs are there and how large are they (in bytes)?

 

Step

Action

1

Here are a few more things to try to gain some additional familiarity with MBRs and boot sectors.

2

If you haven't done this already, run bsparser against your partition's boot sector file and use the FAT, FAT32, and NTFS switches. You should observe that the results make sense for only one of the file system types; i.e., there's really no confusing which output is correct.

3

Locate the set of sample MBR and Boot Sector files in the MBR_BS. Take a look at the results using the appropriate parser program. NOTE that Volume Boot Record (VBR) is a synonym for Boot Sector! Note any comments and observations on the Discussion board.