apm-forensic 0.1.0

Forensic-grade Apple Partition Map (APM) reader — Driver Descriptor Map + partition entries (name, type, start, count) from a byte buffer
Documentation

Crates.io docs.rs License: MIT CI Sponsor

Pure-Rust forensic Apple Partition Map (APM) reader — Driver Descriptor Map and partition entries from a byte buffer.

Reads the partition scheme on Apple hybrid optical discs and APM-formatted media, with no unsafe.

Install

[dependencies]
apm-forensic = "0.1"

Quick start

// `data` begins at the device's first byte (block 0 = Driver Descriptor Map).
let data: Vec<u8> = std::fs::read("disk.img")?;

if let Some(map) = apm_forensic::parse(&data) {
    println!("{}-byte blocks, {} partitions", map.block_size, map.partitions.len());
    for p in &map.partitions {
        println!("  {:<24} {}  start {} ({} blocks)", p.type_name, p.name, p.start_block, p.block_count);
    }
    if let Some(hfs) = map.hfs_partition() {
        println!("Apple_HFS at block {}", hfs.start_block);
    }
}

What it parses

Capability Notes
Driver Descriptor Map ER signature, device block size
Partition entries PM entries: name, type, start block, block count
HFS lookup hfs_partition() finds the first Apple_HFS slice

Validation

Tested against a real hdiutil-created APM (Apple_partition_map + Apple_HFS entries), so the layout is checked against genuine Apple output.

Related

Part of the Security Ronin forensic toolkit. Sibling partition readers: gpt-forensic, mbr-forensic. Filesystems: hfsplus-forensic, udf-forensic. Consumed by iso9660-forensic for Apple hybrid discs.

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd