Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response





Boot Process…is the progression of steps that a computer takes from first being powered on to the final step of reaching an operating system and awaiting user input.  The boot process begins with the CPU running instructions located in the BIOS, inside the ROM.  It typically contains a jump instruction that transfers execution to the location of the BIOS start-up program. This program runs a power-on self test (POST) to check and initialize required devices.  The BIOS goes through a pre-configured list of boot devices until it finds one that is bootable.  A bootable device is defined as one that can be read from and that the last two bytes of the first sector contain 0x55AA (also known as a boot signature).  Once the BIOS has found a bootable device, it loads the boot sector and transfers execution to the boot code.  In the case of a hard disk, this is referred to as the master boot record (MBR) and is often not operating system specific.


Computer Forensics…is the analysis of information contained by and created within computer systems in support of answering four objectives: (what) happened, (when) did it happen, (how) did it happen, and (who) was involved.  Computer Forensics adheres to a strict chain-of-custody, seeks to preserves original evidence, and uses forensically sound, repeatable, and defensible principles for purposes of presenting digital evidence in a court of law.