All I have is a dump of a MBR (sector 0). It contains the normal string 'Invalid partition table....'

The sector has been written to the disk and I would like to know when.

I do not currently have access to the rest of the disk.

Does anyone know if the date is ever embedded within the general code area?

I know that only bytes 0x1be to 0x1ff are actually defined, the rest are often standard

thestarman.pcministry..../W7MBR.htm

The link above gives lots of info but does not mention a date, so I fear the answer to my question is no.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

I found multiple sites on Google that describe the code in the MBR, even go so far as decode it (or provide someone with the ability to do so)...yet I don't see where there's a date listed.  

Not in the mbr, but whenever you get access to the rest of the disk, there may be traces from the OS having redetected a "new" disk (or in this case the same one but with a possibly different disk signature). Or not if the signature was the same.
_________________
Joakim Schicht

github.com/jschicht 

For some useful info about what IS in the MBR, check Google, and try Jamie's code:
gleeda.blogspot.com/20...arser.html  

The ONLY data in a MBR (beside the partition table entries) that varies between two "same OS" installs is the Disk Signature. (4 bytes at offset 440)
The Disk Signature is "randomly generated" when the disk is "initialized" (i.e. first time it is accessed by disk manager and/or during initial partitioning and/or silently if by any chance the disk signature is set to 00000000) as soon as the disk is connected to a NT system) and bears NO info of any kind about date/time.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

Maybe some explanantion to my not so brilliant post would be necessary. I was assuming that only the mbr was rewritten, and that the disk signature may or may not have changed during that operation. If the disk signature was changed, then it should be possible to make some assumptions as to when it occurred. For instance through the registry, by mapping the disk guid from MountedDevices to MountPoints2 and retrieving the last write timestamp. Should at least reflect the boottime of the next boot after the signature was changed. But of course pointless if the signature was kept during the rewrite. Just a shame no timestamps exists in the mbr itself.

Assumtion: Windows system (which I drew because of the reference back to disassembly of a Windows 7 based mbr).
_________________
Joakim Schicht

github.com/jschicht 

I may have something for you on this tomorrow...while it doesn't fit with the MBR that you're referring to, I may have something more along the lines of the MountedDevices/MountPoints2 key references.