In this Article we will be Discussing the very basic of Volume Structure. If you are on this Article directly and don’t have much knowledge about MBR, I will recommend you going through the Article:

Understanding Master Boot Record (MBR)

https://knowitlikepro.com/understanding-master-boot-record-mbr/

Understanding Extended Boot Record (EBR)

https://knowitlikepro.com/understanding-extended-boot-record-ebr/

Introduction

The Above image which looks like MBR is known as MBS ( Master Boot Sector) or just Boot Sector. The boot sector (referred to as a Volume Boot Record on Vista and later operating systems), located at sector 1 of each volume, is a critical disk structure for starting your computer.

It contains executable code and data required by the code, including information that the file system uses to access the volume.

The boot sector is created when you format a volume.

The boot sector on the active partition loads into memory and starts Ntldr (Bootmgr on Vista and later operating systems), which in turn loads the operating system.

The Windows boot sector consists of the following elements:

• An x86-based CPU jump instruction.
• The original equipment manufacturer
• identification (OEM ID).
• The BIOS parameter block (BPB), a data structure.
• The extended BPB.
• The executable boot code (or bootstrap code) that starts the operating system.

For this example, we will be using NTFS as other Filesystems are old and probably not required.

Let’s start with How we can find NTFS on the Disk using Hex Editor.

For this experiment you can use any Hex Editor tool, for reference I will be using: HxD: https://mh-nexus.de/en/hxd/

Now start there are two ways to Find the Location of Boot Sector

Find the address of Boot sector from Partition Table:

You can find the location of the First Sector using the Relative Sector in the Partition table. In the image below you can see that under relative sectors we have the below Information:

Please note: Numbers larger than one byte are stored in a little endian format,

So Now Once we convert the Hexadecimal to Little Endian and then to Decimal we can get the below information:

Now If you will search for these addresses in the Hex Editor you can find Boot Sector.

Initiating a Search for NTFS:

Sometimes in some scenarios generally associated with recovery of the Volume, You might not be able to see the Starting Sector in the MBS. Now to find the correct information and location of Boot Sector on the Disk, you will have to initiate a search to a very specific region in the Disk.

For example, if you will just search NTFS you might find 1000s entries where some file name or data in the file has a Term NTFS. So to find the exact location of MBS you need to search NTFS as a Specific Offset.

If you will see the Hex Decoding of your MBS you will see the Work NTFS written at a very specific location.

Now to Narrow your search, you will have to search for NTFS as Offset 3 as it is the point in MBS from where the term NTFS starts. For example:

In some tools, you might be able to find the way to search using Offset and in some, you might not. For those applications, you will have to search with the string NTFS and then look for the String which is getting started at Offset 3 as it will be your Boot Sector.

BIOS parameter block (BPB)

The BPB describes the physical parameters of the volume: the extended BPB begins immediately after the BPB.

Due to different types of fields and the amount of data they contain, the length of the BPB is different for FAT16, FAT32, and NTFS boot sectors.

The information in the BPB and the extended BPB is used by disk device drivers to read and configure volumes. The area following the extended BPB typically contains executable boot code, which performs the actions necessary to continue the startup process.

We will now dissect MBS in the image below:

BPB and Extended BPB Fields on NTFS Volumes

Once you have got an Idea of MBS, it will be very easy for you to recover your NTFS Volume incase if they have got Corrupted and showing as Raw or Wiped