The Booting Process

The booting process has evolved over time to enhance security and usability, with many changes occurring. This overview will discuss the major changes, serving as an entry point for understanding the booting process, which is more complex than described here.

What is Booting?

The booting process involves loading the operating system into RAM for use. There are two types of booting:

Cold Boot:When a computer starts after being powered off.
Warm Boot:When the computer restarts without turning off the power supply, and hardware initialization isn't performed again.

For the sake of clarity, in this article "boot" from now on indicates a cold boot.

🔍 Forensic Significance

Understanding the boot process is critical for digital forensics investigators:

Bootkit Detection:Malware that infects boot sectors can persist across OS reinstalls
Timeline Analysis:Boot timestamps reveal system installation and modification times
Partition Analysis:Hidden or deleted partitions may contain evidence
Secure Boot Verification:Detect unauthorized OS or bootloader modifications
Anti-Forensic Detection:Boot-level anti-forensic tools leave traces in boot sectors

Key Technologies & Terms

To ensure a good understanding of this article, here is a brief overview of the terms you will need to know:

Firmware

Software designed to provide low-level control of hardware. It's typically stored in non-volatile storage like ROM and is responsible for locating bootable devices. Two types discussed here are BIOSand UEFI.

MBR Structure

Code

Table

Sig

446 bytes

64 bytes

2 bytes

Active Partition

A partition marked as bootable that contains the boot files. Only one partition can be marked as active in MBR systems.

Windows XP and Earlier (BIOS & MBR)

The main idea for all versions of Windows booting is to find and start a program that will start Windows loading operation (NTLDR or Winload.exe).

📊 MBR Structure (512 Bytes)

Bootstrap Code

446 bytes (0x000-0x1BD)

Contains executable code to load boot sector

Partition Table

64 bytes (0x1BE-0x1FD)

4 entries × 16 bytes each

Signature

2 bytes (0x1FE-0x1FF)

0x55AA

🔍 Forensic Note: MBR Analysis

Key Artifacts:

Location:Sector 0 (LBA 0) of physical disk
Signature Verification:Last 2 bytes must be 0x55AA
Bootkit Indicators:Modified bootstrap code, unusual partition entries
Tools:dd, FTK Imager, X-Ways can extract MBR for analysis

🔄 BIOS/MBR Boot Flow (Interactive)

⚡ Power Button Pressed

User presses the power button, electricity flows to motherboard components

🔍 POST (Power-On Self-Test)

BIOS firmware tests hardware: CPU, RAM, storage devices, keyboard, and other peripherals

💾 BIOS Locates Boot Device

BIOS checks boot order and finds the bootable storage device (HDD/SSD)

📖 Read MBR (Master Boot Record)

BIOS reads the first 512 bytes of the disk (Sector 0) containing boot code and partition table

🎯 Access Active Partition

MBR code locates and loads the active partition marked as bootable

🚀 Load NTLDR

NT Loader is loaded from the active partition - acts as boot manager and system loader

📄 Read boot.ini

NTLDR reads boot.ini configuration file to determine boot options and OS location

🪟 Start Windows Kernel

NTLDR loads the Windows kernel (ntoskrnl.exe) and hands over control to the OS

Key Boot Files (Windows XP)

NTLDR

Location:Root of system partition

Purpose:NT Loader - boot manager and system loader

Forensic Value:Timestamp indicates system installation/modification

boot.ini

Location:Root of system partition

Purpose:Configuration file specifying boot options and OS paths

Forensic Value:Reveals multi-boot configurations and OS locations

MBR Limitations

Max 2TB disk size
Only 4 primary partitions
No redundancy (single point of failure)
16-bit code (slower)
Limited security features
Text-based interface
No Secure Boot support

✨ UEFI/GPT Advantages

Supports disks>2TB (up to 9.4ZB)
128 partitions by default
Backup GPT header (redundancy)
32/64-bit code (faster boot)
Secure Boot capability
Graphical interface support
Network boot (PXE) support

New Technologies

GPT (GUID Partition Table)

The updated version of MBR. It supports larger disk spaces, handles many partitions, and has better compatibility with UEFI.

GPT Disk Structure (Interactive)

Hover over each block to see details:

🛡️ Protective MBR (LBA 0)

Fake MBR partition table to prevent legacy tools from corrupting GPT disk

Forensic Note:Single partition entry covering entire disk

📊 Partition Table (LBA 2-33)

128 partition entries × 128 bytes each=16, 384 bytes (32 sectors)

Forensic Value:Each entry contains partition GUID, type GUID, name

💾 Primary Partitions (Data Area)

Actual user data and OS files stored here (ESP, Windows, Recovery, etc.)

📊 Backup Partition Table

Duplicate of partition entries for redundancy

🔍 Forensic Note: GPT Analysis

Key Artifacts:

Primary Header:LBA 1 (sector 1)
Backup Header:Last sector of disk
Partition GUIDs:Unique identifiers for each partition
Type GUIDs:Identify partition purpose (ESP, Windows, Recovery, etc.)
Tools:gdisk, TestDisk, GPT fdisk for analysis and recovery

BIOS+GPT Compatibility

⚠️ Important: BIOS Can Boot from GPT Disks

While UEFI is designed for GPT, BIOS can also boot from GPT diskswith limitations:

Requires BIOS Boot Partition:A small (1-2MB) unformatted partition with type GUID 21686148-6449-6E6F-744E-656564454649
Used by GRUB2:Linux bootloaders commonly use this method
Windows Limitation:Windows cannot boot from GPT on BIOS systems (requires UEFI)
Forensic Indicator:Presence of BIOS Boot Partition indicates BIOS+GPT configuration

Why MBR Cannot Work with UEFI:

No ESP Support:MBR has no concept of EFI System Partition required by UEFI
Partition Limit:UEFI firmware expects GPT's extended partition capabilities
Security:UEFI Secure Boot requires GPT's partition GUIDs for verification
Compatibility Mode:UEFI can boot MBR disks via CSM (Compatibility Support Module) - legacy BIOS emulation

🔄 UEFI/GPT Boot Flow (Interactive)

⚡ Power Button Pressed

User presses the power button, system powers on

🔍 POST (Power-On Self-Test)

UEFI firmware performs hardware diagnostics and initialization

🔎 Locate ESP Partition

UEFI reads GPT and finds the EFI System Partition (FAT32 formatted, type GUID C12A7328-...)

🎯 Load Windows Boot Manager

UEFI loads bootmgfw.efi from \EFI\Microsoft\Boot\bootmgfw.efi

📖 Load BCD (Boot Configuration Data)

Windows Boot Manager reads BCD store from \EFI\Microsoft\Boot\BCD containing boot menu and OS loader paths

🚀 Load Winload.efi

Windows Boot Manager (bootmgfw.efi) loads winload.efi based on BCD configuration

🔒 Secure Boot Verification (Optional)

UEFI verifies digital signatures of bootmgfw.efi and winload.efi if Secure Boot is enabled

🪟 Start Windows Kernel

Winload.efi loads the Windows kernel (ntoskrnl.exe) and drivers, transfers control to OS

Key Boot Files (Windows Vista+)

bootmgfw.efi

Location:\EFI\Microsoft\Boot\bootmgfw.efi (ESP)

Purpose:Windows Boot Manager for UEFI systems

Forensic Value:Timestamp and signature verification status

winload.efi

Location:\Windows\System32\winload.efi

Purpose:Windows OS loader

Forensic Value:Loads kernel and critical drivers

BCD

Location:\EFI\Microsoft\Boot\BCD (ESP)

Purpose:Boot Configuration Data store

Forensic Tool:bcdedit /export to extract for analysis

winresume.efi

Location:\Windows\System32\winresume.efi

Purpose:Resume from hibernation

Forensic Value:Indicates hibernation capability

🔍 Forensic Investigation Checklist

Boot Artifact Collection:

✓ Extract MBR/GPT (first 34 sectors + last 33 sectors)
✓ Image ESP partition (contains boot configuration)
✓ Export BCD with bcdedit /export
✓ Document Secure Boot status (enabled/disabled)
✓ Check for BIOS Boot Partition (BIOS+GPT indicator)
✓ Analyze boot file timestamps (installation/modification timeline)
✓ Verify boot file signatures (detect tampering)
✓ Document firmware settings (boot order, Secure Boot keys)