$Boot File
The $Boot file is located in MFT entry 7 and contains the boot sector and boot code in its $DATA attribute. This attribute always starts in sector 0, and the boot sector data structure is located there. The other sectors are used for boot code. The boot sector has the fields shown in table.
Data structure for the NTFS boot sector
The fields that are not used correspond to BIOS Parameter Block (BPB) fields in the FAT boot sector. The Microsoft document identifies that some of them must be 0 for the file system to be mounted, but these are still considered nonessential values because they are not necessary for the file system to function, and Microsoft could decide to not check the values. I verified that Windows XP does not mount the disk if the values are non-zero.
The important values in the boot sector are the size of each sector and cluster. Without these, we will not be able to identify the location of anything. The next important value is the starting location of the MFT and the size of each MFT entry. To date, MFT entries have always been 1,024 bytes, but this field exists so that the size can be easily changed in the future. Also notice that the address of the $DATA attribute of $MFTMirr is given. This allows a file recovery software to determine where the backup copy of the $MFT entry is so that the location of the MFT can be determined.
The fields that show the MFT entry and index record sizes have a special format. If the value is larger than 0, it represents the number of clusters that are used for each data structure. If the value is less than 0, it represents the log base-2 of the number of bytes in each data structure. To calculate the number of bytes, take the absolute value of the negative number (i.e., the positive value) and raise the number two to that that power. For example, if the value is - 10, the size of the data structure is 210 = 1024 bytes. This occurs when the size of a cluster is larger than a single MFT entry or index record.
Data structure for the NTFS boot sector
| Byte Range | Description | Essential |
| 0-2 | Assembly instruction to jump to boot code | No |
| 3-10 | OEM Name | No |
| 11-12 | Bytes per sector | Yes |
| 13-13 | Sectors per cluster | Yes |
| 14-15 | Reserved sectors | No |
| 16-20 | Unused | No |
| 21-21 | Media descriptor | No |
| 22-23 | Unused | No |
| 24-31 | Unused | No |
| 32-35 | Unused | No |
| 36-39 | Unused | No |
| 40-47 | Total sectors in file system | Yes |
| 48-55 | Starting cluster address of MFT | Yes |
| 56-63 | Starting cluster address of MFT Mirror $DATA attribute | No |
| 64-64 | Size of file record (MFT entry) | Yes |
| 65-67 | Unused | No |
| 68-68 | Size of index record | Yes |
| 69-71 | Unused | No |
| 72-79 | Serial number | No |
| 80-83 | Unused | No |
| 84-509 | Boot code | No |
| 510-511 | Signature (0xaa55) | No |
The fields that are not used correspond to BIOS Parameter Block (BPB) fields in the FAT boot sector. The Microsoft document identifies that some of them must be 0 for the file system to be mounted, but these are still considered nonessential values because they are not necessary for the file system to function, and Microsoft could decide to not check the values. I verified that Windows XP does not mount the disk if the values are non-zero.
The important values in the boot sector are the size of each sector and cluster. Without these, we will not be able to identify the location of anything. The next important value is the starting location of the MFT and the size of each MFT entry. To date, MFT entries have always been 1,024 bytes, but this field exists so that the size can be easily changed in the future. Also notice that the address of the $DATA attribute of $MFTMirr is given. This allows a file recovery software to determine where the backup copy of the $MFT entry is so that the location of the MFT can be determined.
The fields that show the MFT entry and index record sizes have a special format. If the value is larger than 0, it represents the number of clusters that are used for each data structure. If the value is less than 0, it represents the log base-2 of the number of bytes in each data structure. To calculate the number of bytes, take the absolute value of the negative number (i.e., the positive value) and raise the number two to that that power. For example, if the value is - 10, the size of the data structure is 210 = 1024 bytes. This occurs when the size of a cluster is larger than a single MFT entry or index record.
Data recovery content
Articles
Data recovery software for anyone
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost