Windows Forensics: The Field Guide for Corporate Computer Investigations
| | ||
| | ||
| | ||
| LOCATION | # OF BYTES | IDENTIFIER | NOTES |
|---|---|---|---|
| 00 | 3 | Jumpcode | Contains the jumpshort instruction (1 byte), the offset of the bootstrap code (1 byte), and a NOP. |
| 03 | 8 | OEM name | The name of the OS that formatted the partition. Can be used to determine legacy OS presence. |
| 0B | 2 | # of bytes per sector | The total number of bytes each sector holds. |
| 0D | 1 | # of sectors per cluster | The total number of sectors each cluster holds. |
| 0E | 2 | # of reserved sectors | The number of sectors reserved for the boot record. |
| 10 | 3 | Always 0 | Legacy FAT area not used by NTFS. |
| 13 | 2 | N/A | Not currently used. |
| 15 | 1 | Media type | Always F8 for a hard drive. |
| 16 | 2 | Always 0 | Legacy FAT area not used by NTFS. |
| 18 | 2 | # of sectors per track | Total number of sectors in each track. |
| 1A | 2 | # of heads | Total number of drive heads. |
| 1C | 4 | # of hidden sectors | The number of sectors in the MBR until the boot record begins. |
| 20 | 4 | N/A | Not used. |
| 24 | 4 | N/A | Not used. |
| 28 | 8 | Total sectors | Total number of sectors. |
| 30 | 8 | Logical cluster number for the file $MFT | Starting cluster of the $MFT file. |
| 38 | 8 | Logical cluster number for the file $MFTMirr | Starting cluster of the $MFTMirr file. |
| 40 | 4 | # of clusters per file record segment | Number of clusters in each file record segment. |
| 44 | 4 | # of clusters per index block | Number of clusters in each index block. |
| 48 | 8 | Volume serial number | A unique number assigned to a partition at format time. Both Quick and Full formats reassign a serial number. |
| 50 | 4 | Checksum | Not used. |
| 54 | 426 | Executable bootstrap | Starts the first file to boot the system itself. |
| 01 FE | 2 | Executable signature | Added as 55 AA when formatted. Otherwise, the operating system will not be registered by the BIOS as present. |
| | ||
| | ||
| | ||