$Boot
Overview
Section titled “Overview”Evidence: $Boot
Description: Dump Raw Contents of $Boot File
Category: DiskFilesystem
Platform: windows
Short Name: ntfsboot
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The $Boot file contains the boot sector and bootstrap code for the NTFS volume. It includes critical volume parameters such as cluster size, MFT location, volume size, and other fundamental file system metadata. This file is essential for mounting and accessing NTFS volumes.
Data Collected
Section titled “Data Collected”This collector gathers structured data about $boot.
$Boot Data
Section titled “$Boot Data”| Field | Description | Example |
|---|---|---|
Type | File type | Boot |
Name | File name | $Boot |
SourcePath | Original path | C:$Boot |
FilePath | Path in evidence | NTFSFiles/$Boot |
FileSize | File size in bytes | 8192 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $Boot from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”The boot sector provides essential information about NTFS volume configuration and can reveal volume tampering or corruption. Forensic analysis of the boot sector can identify disk geometry, partition parameters, and potential bootkits or other boot sector malware.