Master Boot Record – Decoding BPB

In my class we are discussing the FAT partition table and the BIOS Perimeter Block (BPB). For our introduction to it we had to manually process the BPB/MBR and determine a few things, such as the number of bytes per sector, how many sectors per cluster, and determining if the FAT is FAT12, FAT16, or FAT32.

While not a difficult thing to do using forensics tools, there may instances where portions of the FAT may be corrupted and a manual decode would be necessary. For our purposes, we were given the data structure which provided the bytes, length, and what it represents. However, in practice counting each byte group and trying to keep track of your position can be quite bothersome. To alleviate this problem I turned the position in bytes into its hex offset (0x0D for example). I did this because the hex editor we are using is gHex for Linux and it displays the offset of the byte(s) you’ve selected. I wanted to share this with you, and hope it helps.

The following table information was obtained from “File System Forensic Analysis, Brian Carrier, Addison-Wesley” chapter 10. My contribution to this data is the hex offset, the rest belongs to the author.

Byte RangeHex OffsetDescriptionEssential (Y/N)
0 - 20x00 - 0x02Assembly instruction to jump to boot code.No (unless it is a bootable file system)
3 - 100x03 - 0x0AOEM Name in ASCII.No
11 - 120x0B - 0x0CBytes per sector. Allowed values include 512, 1024, 2048, and 4096.Yes
130x0DSectors per cluster (data unit). Allowed values are powers of 2, but the cluster size must be 32KB or smaller.Yes
14 - 150x0E - 0x0FSize in sectors of the reserved area.Yes
160x10Number of FATs. Typically two for redundancy, but according to Microsoft it can be one for some small storage devices.Yes
17 - 180x11 - 0x12Maximum number of files in the root directory for FAT12 and FAT16. This is 0 for FAT32 and typically 512 for FAT16.Yes
19 - 200x13 - 0x1416-bit value of number of sectors in file system. If the number of sectors is larger than can be represented in this 2-byte value, a 4-byte value exists later in the data structure and this should be 0.Yes
210x15Media type. According to the Microsoft documentation, 0xf8 should be used for fixed disks and 0xf0 for removable.No
22 - 230x16 - 0x1716-bit size in sectors of each FAT for FAT12 and FAT16. For FAT32, this field is 0.Yes
24 - 250x18 - 0x19Sectors per track of storage device.No
26 - 270x1A - 0x1BNumber of heads in storage device.No
28 - 310x1C - 0x1FNumber of sectors before the start of partition.[1]No
32 - 350x20 - 0x2332-bit value of number of sectors in file system. Either this value or the 16-bit value above must be 0.Yes

Book author’s note:
[1] My testing has shown that for file systems in an extended partition, Windows sets this value based on the beginning of the extended partition, not the beginning of the disk.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.