MBR
Overview
Section titled “Overview”Evidence: MBR
Description: Collect Master Boot Record
Category: DiskFilesystem
Platform: windows
Short Name: mbr
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Master Boot Record is the first 512 bytes of a disk and contains the partition table and boot code. The MBR is critical for system boot and can be targeted by bootkits and other low-level malware.
MBR analysis can detect bootkit infections, partition manipulation, and disk tampering.
Data Collected
Section titled “Data Collected”This collector gathers structured data about mbr.
MBR Data
Section titled “MBR Data”| Field | Description | Example |
|---|---|---|
Type | Boot record type | MBR |
StartOffset | Starting offset in file | 0 |
EndOffset | Ending offset in file | 512 |
FilePath | Path to saved boot record | Disk/MBR.bin |
Collection Method
Section titled “Collection Method”This collector:
- Uses driver IOCTL to read the first 512 bytes of the physical disk
- Saves the raw MBR to a binary file
- Records offset information
Forensic Value
Section titled “Forensic Value”MBR analysis is critical for detecting bootkits and disk-level threats. Investigators use this data to detect bootkit infections, analyze partition table modifications, identify malicious boot code, verify boot sector integrity, and detect disk manipulation.