Using the HDHacker utility I imaged a laptop’s MBR. The file was just 512 bytes, and this is how it appeared in a hex editor:
The first 446 bytes is the boot code, which is copied to physical memory and executed by the BIOS after the Power On Self-Test (POST). In turn, this code will load up the boot partition and execute another bootloader such as GRUB or LILO. Within the bootloader, the parameters for the next stage of the boot process (partition, kernel image, etc.) are determined.
Somewhere within the first 446 bytes of the MBR that was imaged, we also find the ‘
#SafeBoot’ string – this is usually an indicator that a full disk encryption system was used. A list of strings associated with the different encryption products is available on the Guidance Software blog post.
After the boot code, at address 0x01B8 to 0x01BE, there is a disk signature.
Marking the end of the MBR is the ‘0x55AA’ signature.
The Partition Table
The following 64 bytes contains the partition table:
Each entry in the partition table tells the operating system the filesystem type and the partition size. This is probably where we read and write information on a partition editor.
Since only four partitions can be mapped within the MBR, we shouldn’t expect to be able to have more than four primary partitions on a given disk. We can, however, map an ‘extended partition’ that might contain several logical partitions.
Can we decode the following partition table entry?:
80 20 21 00 07 FE FF FF 00 08 00 00 00 D8 42 25
The first step is to look at how the bits are actually grouped, and determine what each group represents. According to the Microsoft TechNet page, the bits are grouped as follows:
[1000 0000] [0010 0001] [0000 00]  [1111 1110] [1111 1111]    [1101, 1000, 0100, 0010, 0010, 0101]
[Boot Indicator] [Starting Head] [Starting Sector] [System ID] [Ending Head] [Ending Sector]
The Boot Indicator value, more specifically the first bit, marks this as an active partition – this will either be 0x00 for inactive or 0x80 for active.
With a bit of hex-binary-decimal arithmetic, it should be possible to calculate the approximate size of the partition from the final 32 bits in the table entry. Coverted to hexadecimal the value in our table is 0xD84225, and in decimal that is 14,172,709.
For an older disk a sector is 512 bytes, so that multiplied by 14,172,709 gives us just over 7GB, which seems a little too small. More recent hard disks have sectors of 4096 bytes, so the partition size in that case would be just under 60GB. Since that is the only partition in the table, we can say it’s likely the MBR was on a 60GB hard drive.