Notifications

Clear all

MBR vs NTFS Volume Boot RECORD

General (Technical, Procedural, Software, Hardware etc.)

Last Post by amontes 18 years ago

10 Posts

5 Users

0 Reactions

2,597 Views

RSS

lpcforensic

(@lpcforensic)

Active Member

Joined: 18 years ago

Posts: 8

Topic starter 27/12/2007 11:10 pm

HI all,

a little Question.

I have a PC with 3 Partitions
1 PRIMARY
1 Extended

on the Extended partition i have 2 Logical Volume.

All is in NTFS.

Question

For every PARTITION (PRIMARY or LOGICAL VOLUME) the "TOTAL SECTOR" FIELD in the MBR and in the Volume Boot Record are different.

For 1 Sector.

For Example
MBR 0x02711637
VBR 0x02711636

WinHex and other tool says MBR is the Winner.
But why in the VBR i lose 1 SECTOR?

The field in VBR is at 0x28

For investigate, this two link can help

MBR http//tenyear.net/books/FileSystemForensicAnalysis/ch05lev1sec1.html

VBR http//www.ntfs.com/boot-sector-damaged.htm

But not help for answer to my question.

Quote

omagico

(@omagico)

Trusted Member

Joined: 20 years ago

Posts: 39

28/12/2007 5:20 am

Just a thought here so flame if necessary.

The MBR uses inclusive counting and the VBR uses exclusive. (probably not just a thoughtI. I'll have to play with this one.

ReplyQuote

amontes

(@amontes)

Active Member

Joined: 20 years ago

Posts: 6

28/12/2007 8:43 am

HI,
The difference lies with the inclusion or exclusion of the very last sector of the volume. The NTFS file system uses one sector (512 bytes) to store the backup volume boot record.

The NTFS volume boot record does not include this one sector in its total sector count.

Hope this helps,

Art Montes
Senior Instructor
Guidance Software, Inc.

HI all,

a little Question.

I have a PC with 3 Partitions
1 PRIMARY
1 Extended

on the Extended partition i have 2 Logical Volume.

All is in NTFS.

Question

For every PARTITION (PRIMARY or LOGICAL VOLUME) the "TOTAL SECTOR" FIELD in the MBR and in the Volume Boot Record are different.

For 1 Sector.

For Example
MBR 0x02711637
VBR 0x02711636

WinHex and other tool says MBR is the Winner.
But why in the VBR i lose 1 SECTOR?

The field in VBR is at 0x28

For investigate, this two link can help

MBR http//tenyear.net/books/FileSystemForensicAnalysis/ch05lev1sec1.html

VBR http//www.ntfs.com/boot-sector-damaged.htm

But not help for answer to my question.

ReplyQuote

balzanto

(@balzanto)

Trusted Member

Joined: 18 years ago

Posts: 57

29/12/2007 12:00 pm

Hmmmmm. I think I just heard this last week. Great class Art. Hope to see you soon.

Tony

HI,
The difference lies with the inclusion or exclusion of the very last sector of the volume. The NTFS file system uses one sector (512 bytes) to store the backup volume boot record.

The NTFS volume boot record does not include this one sector in its total sector count.

Hope this helps,

Art Montes
Senior Instructor
Guidance Software, Inc.

HI all,

a little Question.

I have a PC with 3 Partitions
1 PRIMARY
1 Extended

on the Extended partition i have 2 Logical Volume.

All is in NTFS.

Question

For every PARTITION (PRIMARY or LOGICAL VOLUME) the "TOTAL SECTOR" FIELD in the MBR and in the Volume Boot Record are different.

For 1 Sector.

For Example
MBR 0x02711637
VBR 0x02711636

WinHex and other tool says MBR is the Winner.
But why in the VBR i lose 1 SECTOR?

The field in VBR is at 0x28

For investigate, this two link can help

MBR http//tenyear.net/books/FileSystemForensicAnalysis/ch05lev1sec1.html

VBR http//www.ntfs.com/boot-sector-damaged.htm

But not help for answer to my question.

ReplyQuote

amontes

(@amontes)

Active Member

Joined: 20 years ago

Posts: 6

29/12/2007 11:13 pm

Thanks Tony, Glad you enjoyed it. Hope to see you soon. Art

ReplyQuote

lpcforensic

(@lpcforensic)

Active Member

Joined: 18 years ago

Posts: 8

Topic starter 30/12/2007 5:49 am

hi,

thanks to all for the help.

amontes thanks for your reply and i trust you but where can i find some documentation (if there is some document) about it?

ReplyQuote

cfprof

(@cfprof)

Trusted Member

Joined: 20 years ago

Posts: 80

30/12/2007 7:43 pm

I'm still a bit confused by the original post.

The MBR should report on partition sizes only, not on volume sizes. On the first partition, with only one volume, the two should be "close" (differing by the amount of reserved space, etc.). But, on the extended partition with multiple volumes, the sizes reported by the VBRs should generally be quite different from the number reported by the MBR.

There seems to be disagreement about whether the backup VBR is or isn't in the logical volume. Is it in the last cluster or in a sector that is not given a cluster number? If the latter, I guess it is in "Volume Slack".

ReplyQuote

amontes

(@amontes)

Active Member

Joined: 20 years ago

Posts: 6

31/12/2007 12:18 pm

Hi all,
Better than documentation is to validate what others say. Proof of this is to check both the MBR Partition, Extended Partition and VBR entries and view what they are reporting.

Within the MBR PS0 and Extended Partition table(s), at sector offset 446 for 64 bytes are the four 16 byte partition table entries.

Within each 16 byte partition entry, the total number of sectors for each partiton can be found record offset 12 for a total of four bytes (read little endian). This will give you the total number of sectors for each partition.

Within the VBR's for each volume, the total number of sectors for the volume can be found at sector offset 40 for 8 bytes (little endian).

For example
I have a VBR that shows 4999616 total sectors. 4999616 + 63 (reserved sectors, assuming xp and below) would place me at PS 4999679. But going to PS 4999679 would be incorrect because the storage media starts at PS0. So taking this into account (-1 PS), the correct ending PS would be 4999678. And in PS 4999679, the backup VBR would appear.

If what I am doing is correct, then the backup VBR is not counted in the VBR's total sector count.

Someone please check me, nobody's perfect.

Art

ReplyQuote

lpcforensic

(@lpcforensic)

Active Member

Joined: 18 years ago

Posts: 8