We're on Course 3, Module 4. In this module, we're going to be talking about the master boot record. The master boot record, partition schema, or otherwise known as MBR, is limited to four entries in the partition table. Now, each of these entries is 16 bytes in length. Four bytes for the partition size, and that leaves us with a maximum value of FF, FF, FF, FF, which will limits us to two terabytes in size. Disks larger than two terabytes must be formatted, with another partition schema are known as GUID partition table, which we will talk about in the next block. The master boot record is located at physical sector 0, the very start of the drive. Each sector is 512 bytes, and it's going to end with 55, AA, hexadecimal. The master boot record is 512 bytes long, one sector, and it's going to end with the hexadecimal representation of 55, AA. Now, what's in the master boot record? Well, you have the beginning, you're going to have the boot code. We're going to have our disk signature. We're going to have our partition table. That's going to tell us where each of the partitions, is located out on the drive. How big the petitions are, it's going to give us the size of the partitions, and the type of the partitions. Are they FAT32, NTFS? What type of petition they are. This is what the master boot record is going to look like on disk. In the beige up here, you can see we have our boot code. Down here we have our disk signature in green. Then each of these, the pink represents one partition. Then we have our second partition represented in blue, orange, and green. We see a maximum of four entries. We see each of these entries is 16 bytes long. It gives us the information. The first byte here tells us if it's bootable or not. This partition represented with hexadecimal 80 would be bootable, 00 would not be bootable. The next three bytes are legacy cylinder head sector addressing, which we don't really use anymore. The next byte would be the partition type entry. In this case, 0c, and we'll get to talking about partition types, and what these entries mean exactly. Then our next three bytes, is again legacy cylinder head sector addressing. Then our next four bytes, are going to tell us the location of the first partition, where it starts on disk. Then the last four bytes of the entry, give us the size of the partition, in sectors. It can only have four entries. Only one of these entries can be bootable. Only one of these entries can be what we call an extended logical partition, and we'll talk more about throughout this path. The extended logical partition cannot be bootable. Out of those four, the extended logical cannot be bootable. Only one of them can be bootable, at any one time. Here, again, is what is contained. We have our bootstrap code. At offset 1B8 we have our Windows disk signature. We have our partition indicator, whether it's active bootable or not bootable. That's going to be one byte in length. Like we saw it before, it'll either be a hexadecimal 80, or a hexadecimal 00. 80 means it is bootable, 00 means it is not. We have our legacy cylinder head sector addressing. Then at offset 1C2, we have our partition type indicator. This will tell you if it's a GUID partition table, or if it's an extended partition, NTFS, or FAT. That is one byte in length. Then our next three bytes will be, again, legacy cylinder head sector addressing. That's three bytes. The next four bytes will tell us the first sector in the partition. That is four bytes long, and that is located right here. Then this will be the size of the partition in sectors, right here, these four bytes. If we wanted to get the size in bytes, we would multiply the number of sectors times 512 to give us the total number of bytes. We have our active bootable and we have our cylinder-head-sector partition type right here. This 0C. Again, like a C cylinder-head-sector address which you don't need to worry about. The first sector, where the petition starts, the location, and the size of the partition in sectors. These are some common partition types. If you saw hexadecimal 04 that would represent a FAT 16. This would be 05 would be DOS extended partition. NTFS is usually represented as 07. FAT 32, you can see a 0B or 0C, and 0F would be in extended partition, 083 would represent a Linux partition. The extended logical partition. Since we can only have four entries to give us the ability to have more than four partitions on a single drive, we have what's called the extended logical partition. You can see that's right here, outlined in green. In an extended logical partition, you'll have a partition table at the beginning of the extended logical partition, and at the end before the second one, you have another partition table indicating where the start of the next extended logical partition is. Physical sector 0 of the extended logical partition. You have a partition table that will point to the next partition. It'll point the first entry. It will always have two entries and only two entries. The first entry is going to point to itself. The second entry in that partition table is going to point to the next logical partition. When you go there, you're going to find a partition table and it will have two entries, if there's more than one ELP left extended logical partition. If there's just one entry, it'll point to itself. If there was a second entry here, it'll point to the next extended logical partition. The first entry points to itself, and the second entry points to the next extended logical partition. We'll see that when we go through our walk-through. This is an example of a partition table for an extended logical partition. It'll only have two entries. The first entry, would be the location of itself where it actually starts, where its volume boot record is located. In the next entry, this will tell you where the start of the next logical partition table is. Again, this will give you the size and it also has the type indicator. This is the second logical partition table entry. You can see it only has one entry because it's the last extended logical partition in this case. It points to itself. It gives you the partition type indicator here, we can see the 0C outlined in green, and the size, how big the partition is in sectors. You would read this partition table, the exact same way you would read the partition table located in the master boot record. Now we're going to go ahead and do our walk-through. You need to download the MBR VHD if you haven't already done so from the class drive. Then we're going to have to open Active Disk Editor, like we did before when we did our Active Disk Editor demo. Let's do that. Active Disk Editor. Once we get to our start screen, we're going to open a disk, navigate to where you downloaded your MBR VHD, and we're going to open the VHD. You must mount the VHD before you can open it. If you haven't done that, you're going to go into your Disk Management, you're going to go to Actions. Attach VHD, navigate to where you saved your VHD, select it, and then click "Open." Once you've done that, select it. Note the drive number. Once you have that mounted, make sure you note the drive number that it is, so when you go to mounted it makes it easier. Once you've done that, go ahead and select it, and click "Open." Your drive will open. Now, this is our master boot record. Make sure that your template is set on master boot record. Remember the template drop-down. We want to be on master boot record. We can see here all the stuff that's in our master boot record. We have our boot code. We have our disk serial number, at 1B8. It should be right here. That's our disk serial number. Then we have the start of our partition table. This is the active flag. In mine right now is 00, so it is not bootable. After the active flag, we have our cylinder head sector addressing, which we said was our legacy addressing that we don't use anymore. Then we have our partition type indicator, which will tell us what type of file system is on this disk. This was a 0c. Then we have our, again, cylinder head sector addressing. We have the location of the first sector. It says the first sector is sector 128. Now we have our size, the size of this particular partition, the number of sectors in the partition. If we wanted to get the sector size in bytes, we would multiply that number, that 204,800 times 512, which is our sector size, which would give us our total bytes per sector. Second entry. We read the same way. First is our boot indicator, followed by our cylinder head sector addressing. Then we have our partition type indicator, which in this case is 07, which would tell us that it's NTFS. Then we have our, again, cylinder head sector addressing. Then we have the location of the first sector. The first for partition 2 in this disk, is going to be 204,928, would be the location of the first sector. Then we have the partition size in sectors. Then that size is going to be, you can see it up here, total sectors is going to be 409,600. Then we have our next partition. Again, you have the active bootable. This is 00, so it is not bootable. If it weren't, hexadecimal 80 would be bootable. Then we have our cylinder head sector addressing, a partition type, which is 0c. 0c is fact 32. Then we have our cylinder head sector addressing. Then we have our location, the first sector in our partition. We can see. Then we have our size of our partition in sectors. We have the total number of sectors. We have, in this one, the location of the first sector. Now we have another partition, because we have four entries here. We can see its active flag, again, is 00, so it is not bootable. We have our legacy cylinder-head-sector addressing and we have our partition type, which is 05, which is a DOS extended partition. We know our fourth partition is an extended partition. We have our cylinder-head-sector addressing, which we no longer use, but it is still there. Then we have the location of our first sector, which in this case, the first sector of our extended logical partition, is going to be sector 1,024,128. Now what's important to know about this is this is giving us the address relative to the start of the physical drive itself. Now where things start and what their relative to is going to be very important throughout this this path. This location is relative to the start of the disk itself, the physical disk. Then we have the size in sectors, the total number of sectors. To get the total size, we would multiply that number times 512, which is our sector size, and that would give us our total bytes in the partition. Then we have our ending 55 AA as our signature. Let's take a look at the extended logical partition and the partition tables within it. What we're going to do is, we're going go to ''File,'' Open.'' Now, it's very important we select the right thing. You want to select the full extended partition, not the volume, and not the ELPs below here. We want to select the extended partition. Select the extended partition. Don't click on anything over here. To the right, just click ''Open.'' Because we want to see the entire extended partition. We could see at the very beginning in sector 0 of our extended partition, we see what looks like a master boot record with a partition table. This is the partition table for the extended logical partition, because each of these extended logical partitions has a table prior to the volume boot record to tell us the location of itself. This first entry is going to point to the start of the partition we're looking at. The second entry is going to tell us where the next extended logical partition begins. You'd read this entry the same as we did before. It is not bootable, but we know extended logical partitions are never bootable. Then we have our cylinder-head-sector addressing. We have the partition type, which is 0, 7, which tells us that the first partition within this extended logical partition is going to be NTFS. We have our cylinder-head-sector addressing. Then this partition points to itself, and we can see the first sector is 128. That number is relative to the start of the partition, to the start of the volume, not to the start of the physical disk. Remember that because if not, you'll be very lost in the navigation. So 128 is relative to the start of the volume, this particular partition within the extended logical partition is where this location is relative to. Then we have the size again total sectors. If we wanted to get the size in bytes, we multiply that times 512. If I were to go out to sector 128, I should see in NTFS volume boot record. Let's test that theory. You can either go from navigation or straight to go to sector. Make sure we type 128 in the sector, not cluster. You want to make sure you typed in sector 128 and we're going to click ''Okay.'' What we find here is indeed in NTFS volume boot record. Let's use our back button. This is one I think I didn't show you, but the Back button is going to come in handy. We'll hit the ''Back button'' and we're going right back to our partition table for our extended logical partition. It says the next extended logical partition, we're going to find out at sector 204,928. You can go ahead and write that down if you'd like, and we're going to navigate. Go-to sector, make sure you're typing in the sector, not cluster box, and we're going to type in the number 2, 0, 4, 928. What we should expect to find here is again another partition table. We're going to click Okay. You can see we see looks like a partition table would have 5, 5 a signature. What we have to do here is make sure you're set to master boot record. We're going to right-click set template position. We get our template for our master boot record. We can see the partition table has two entries, which is what it should have. It will always have two entries. The first entry is going to point to itself. Not active bootable. We have our cylinder head sector, we have our partition type indicator, which again tells us this one is also NTFS 07, cylinder head sector. Now the first sector is 128. The first sector is always going to be 128 from here, because when it points to itself, it's always 128 sectors in from the start of the volume. Then we have the total size in sectors. Now the second entry is going to point to the next extended logical partition. Again, active bootable 00. We have cylinder head sector addressing. Our file system is 05, which stands for extended logical partition, extended DOS partition. Then we have our cylinder head sector addressing again, and we would have the location of our next extended logical partition, which is out at 6, 1, 4, 6, 5, 6. Then we have the size in sectors right here, would be our size in sectors. Size and sectors is 450,688. Again, if you wanted to size in bytes, you would multiply that number times 512. Let's go ahead and go out and see if we see another partition table out at this location, 6, 1, 4, 6, 5, 6. Again, we'd go to, it can either go navigation, go to sector, or you could just click Go to sector. That number was 6, 1, 4, 6, 5, 6. We click Okay. We want to make sure you're still on master boot record as far as your template. We're going to right-click set template position, and again we can see our partition table. This time we see it only has one entry. That tells us this is the last extended logical partition on this physical drive, on just logical drive. It is not active bootable. We see our cylinder head sector flags. We see the type. The file system that is actually on here is NTFS, cylinder head sector addressing, and then we see the location of the first sector. Again we see it's 128. Like I said, it'll always be 128 sectors in the volume boot record. The start of the partition will be at 128 sectors in from the extended logical partition table. If we go ahead and navigate, or go to sector, and we type in 128, and we click Okay we come to our NTFS volume boot record. What's important to remember is these locations are relative to the start of the logical volume, the logical partition within the extended logical partition not the physical drive. Very important to remember that. That is how you would read a volume boot record. The extended logical partition tables located within an extended logical partition.
