apm-partition-forensic 0.5.0

Forensic anomaly auditor for Apple Partition Maps — map-count mismatch, overlapping/out-of-bounds partitions, residual entries, unmapped regions as graded report::Finding, built on apm-partition-core
Documentation

apm-partition-forensic

Crates.io Crates.io: core docs.rs License: MIT CI Sponsor

Audit an Apple Partition Map and get back severity-ranked forensic findings — overlaps, out-of-bounds slices, residual entries, hidden gaps.

Reads APM geometry via the apm-partition-core reader, then grades the layout against the structural invariants of a valid map. Each anomaly carries a stable code, a 5-level severity, and a human note on the shared forensicnomicon::report model — an observation ("consistent with …"), never a verdict. The examiner draws the conclusion.

cargo add apm-partition-forensic

use apm_forensic::analyse;

// `data` begins at the device start (block 0 = Driver Descriptor Map);
// the device size comes from the map's own sbBlkCount, so no size argument.
let report = analyse(&std::fs::read("disk.img")?)?;

println!("highest severity: {:?}", report.max_severity());
for a in &report.anomalies {
    println!("[{}] {}: {}", a.severity, a.code, a.note);
}
# Ok::<(), apm_forensic::Error>(())

For a disk image behind a container, analyse_reader(&mut reader, max_bytes) takes any Read + Seek (the APM lives in the first few blocks, so a small cap such as 1 MiB suffices) and composes directly with the ewf/dmg/vhd reader crates.

Anomaly codes

Anomaly Code Severity
Overlapping partitions APM-PART-OVERLAP Critical
Partition out of bounds APM-PART-OOB High
Residual (hidden) entry past the declared map count APM-PART-RESIDUAL High
Missing Apple_partition_map self-entry APM-NO-MAP-ENTRY High
pmMapBlkCnt disagreement between entries APM-MAP-COUNT Medium
Unmapped interior region (possible hidden data) APM-UNMAPPED Medium
Zero-length partition APM-PART-ZEROLEN Low
Unknown partition type APM-PART-UNKNOWN Info

Codes are a published contract: a shipped code never changes meaning. Partition-type strings are graded against the forensicnomicon knowledge base.

Two crates

This analyzer depends on the apm-partition-core reader and re-exports its parse, ApplePartitionMap, ApmPartition, and Error, so adding apm-partition-forensic alone gives you both the reader and the audit layer. An optional serde feature derives Serialize on the analysis types for JSON output.

Trust, but verify

These crates parse untrusted, attacker-controllable disk images:

  • Panic-free — no unwrap/expect/panic! in production code (hard deny via the workspace lints).
  • Fuzzedcargo fuzz targets drive both parse and the full analyse audit pipeline with a "must not panic" invariant.
  • Real-artifact validated — checked against a real hdiutil-created APM (Apple_partition_map + Apple_HFS), not only synthetic fixtures.
  • No unsafeunsafe_code = "forbid".

Related

Part of the Security Ronin forensic toolkit. Reader: apm-partition-core. Sibling analyzers: gpt-forensic, mbr-forensic. The disk-forensic orchestrator auto-detects the scheme and dispatches to whichever fits.

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd