From 75a34e4b5921aa754864cefccf50017e55bc5460 Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Wed, 22 Jan 2025 23:36:32 +0100
Subject: [PATCH] bump

---
 Forensics/Boot Process.md | 73 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 Forensics/Boot Process.md

diff --git a/Forensics/Boot Process.md b/Forensics/Boot Process.md
new file mode 100644
index 0000000..08a9c39
--- /dev/null
+++ b/Forensics/Boot Process.md	
@@ -0,0 +1,73 @@
+# Boot Process
+
+The boot process chain is the following
+
+```
+Power on -> Self-Test -> Find MBR/GUID -> Read MBR/GUID -> Find bootable
+partition -> Start found bootloader -> Start OS
+```
+
+## Master Boot Recoder (MBR)
+
+The MBR is 512 Bytes in size and starts at the first sector of the storage device.
+(It contains the following sections)(https://www.writeblocked.org/resources/MBR_GPT_cheatsheet.pdf)
+
+```
+----------------------------
+|bootstrap code (445 bytes)|
+----------------------------
+|partition table (64 bytes)|
+|    - partition 1         |
+|    - partition 2         |
+|    - partition 3         |
+|    - partition 4         |
+|     each 16 bytes        |
+|    4 partitions max      |
+----------------------------
+|  mbr signature (2 bytes) |
+|  this is: 55 aa (le)     |
+----------------------------
+```
+
+A partition represented in the MBR contains following hex values in succession
+one after another, starting at the first one at byte position 0x00
+
+1. Boot indicator (1 Byte), 0x80 means it is bootable and 0x00 means it is not
+2. Starting Cylinder Head Sector (CHS, 3 Bytes), physical cylinder, head and sector number
+3. Partition Type (1 Byte), indicating the file system
+4. End of CHS address (3 Bytes), contains `FE FF FF`
+5. Logical Block Addressing (LBA, 4 Bytes), logical starting address of the partition
+6. Number of Sectors (4 Bytes) of the partition
+
+### Find a partition using the LBA
+
+The address can be calculated through the following formula
+
+```
+LBA value x sector size = starting byte
+```
+
+To calculate the size of the parition use the following formula
+
+```
+Number of sectors x sector size = parition size
+```
+
+> **NOTE**: Watch out for LE and LB.
+
+## GPT
+
+```
+--------------------------------
+| Protective MBR               |
+--------------------------------
+| Primary GTP Header           |
+--------------------------------
+| Partition Entry Array        |
+--------------------------------
+| Backup GPT Header            |
+--------------------------------
+| Backup Partition Entry Array |
+--------------------------------
+
+```