I take OS first 512 hexdump using dd command. what kind of information extract using that and what are the tools or command(linux) can be used for analysis ?
I take copy bytes dump using my Ubuntu os(MBR sector) following command.
dc3dd if=/dev/sda of=x cnt=1 ssz=512 hash=sha256 mlog=hashes
And I convert it to hexdump using following command.
hexdump x > hex_x
Here is a nice visual explanation of the MBR : http://www.nixhacker.com/explaining-the-magic-of-mbr-and-its/.
Except you have to be aware of the LSB or MSB output of the tool. hexdump -C or xxd's output may be easier to read depending on what you're used to, your hexdump output shows the proper byte arrangement as it actually appears in memory with the least significant byte first.
See : hexdump always uses the platforms endianess
The nixhacker link above will be the most useful with xxd's output (or hexdump -C), we have to manually flip the bytes of your output to make sense of it.
1be : 00 00 : 08 would be bootable, 00 is not bootable, 00 Is the Starting Head
1c0 : 01 00 : 01 Starting Cylinder, '00 Starting Sector'
1c2 : ee feffff : ee Partition Type - EFI GPT Disk (https://en.wikipedia.org/wiki/Partition_type), feffff - ending Head Cylinder Sector values
1c8 : 00 00 10 00 : LBA address of the starting sector (4096)
And so on.
From a quick search you can find MBR parsers that seem to work well:
https://raw.githubusercontent.com/gleeda/misc-scripts/master/misc_python/mbr_parser.py
