Wednesday, March 14, 2012

MBR ~ Master Boot Record

Computer Forensic mostly dealing with a storage device like Flashdisk, Harddisk, CD, DVD, RAM, etc. There are two type of storage, volatile and non volatile. Dealing with volatile storage device like RAM is more difficult because when the Computer is turned off, the data inside will disappear and some evidence maybe would lost too. Dealing with non volatile memory like Flashdisk or Harddisk isn't easy too. False method will make an evidence found on the memory won't be valid anymore.

In the Harddisk, there is something called MBR or Master Boot Record. MBR contain a series of code which make the harddisk can boot the system. IBM is the one who make it well known by the world. Usually, MBR located in the first sector of the Harddisk. Some of MBR task are :
1. Record the partition table on the system, which contains the details of the partition of a storage device on the system. 
2. Bootstrapping an operating system. 
3. Identify individual storage media.

Partition table that exist in the MBR describe where the partition are put in the Harddisk. This scheme only availabe in the Intel x86 system and integrated in the BIOS of the system. This type of partitioning scheme make the partition divided into three types :
- Primary Partition 
- Extended Partition
- Logical Partition

When a PC is booted, MBR run these task :
- Find an active partition that can be booted in the partition table.
- Find the first sector of the active harddisk to get a boot sector from that partition. 
- Copy the boot sector from the active partition to the memory.
- Give further control to the executable code that can be executed in the boot sector.

"the quieter you become, the more you are able to hear.."


Post a Comment