DFIR Reference · Disk Architecture

Windows Boot
Disk Explorer

Interactive partition map — click any partition, folder, or file to inspect its forensic role in the boot chain.

ESP / Boot

Windows (C:)

Recovery

MBR / GPT header

MSR

Unallocated

click partition segment to explore

click file to see forensic details

scroll boot chain nodes below

Physical disk · Disk 0

💽

NVMe SSD — 512 GB

GPT · MBR: protective · 512B sectors · Interface: PCIe 4.0

512 GB

Partitions

Select a partition →

—

📂

Click a partition to explore its files

🔍

Click a file to see its forensic role

Boot chain — file interactions

The OS cycle — where the disk hands off

The files on this disk are only the first leg of the relay. Firmware reads the ESP → bootmgfw.efi → winload.efi → the kernel ntoskrnl.exe, which creates System (PID 4) and the first user-mode process, smss.exe. From there the boot stops being a list of files and becomes a living process tree — showing which file owns the first process, when each runs, and what it is responsible for.

        ESP / Boot files
        →
        winload.efi
        →
        ntoskrnl.exe
        →
        System (PID 4)
        →
        smss.exe
        →
        Process Tree → explorer.exe
      

← The Booting Process (full walkthrough) Continue: Windows Process Tree →

From reading to doing

Inspect the boot disk with Crow-Eye

Crow-Eye images and parses the disk you just explored — the ESP, the GPT, and the boot-critical files — and flags rogue .efi binaries, partition anomalies, and bootkit indicators.

⬇ Download Crow-Eye