mbr-forensic 0.1.0

Forensic MBR parser — structure, anomaly detection, gap analysis, slack-space carving, and filesystem fingerprinting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

//! Extended Boot Record (EBR) chain traversal and forensic inspection.
//!
//! An extended partition (type 0x05 / 0x0F / 0x85) contains an EBR chain.
//! Each EBR sector is structured identically to an MBR: 512 bytes with a
//! `0x55AA` boot signature at offset 510.  Only the first two partition
//! entries are used:
//!
//! - Entry 0: logical partition LBA, **relative to this EBR sector**.
//! - Entry 1: next EBR LBA, **relative to the extended partition start**
//!   (`ext_start`).  Zero = end of chain.
//!
//! Entries 2 and 3 are reserved and should be all zero.  Non-zero bytes in
//! those entries constitute slack data that may conceal forensic artefacts.

use std::io::{Read, Seek, SeekFrom};

use crate::partition::PartitionEntry;
use crate::Error;

/// A single link in the EBR chain.
#[derive(Debug, Clone)]
pub struct EbrEntry {
    /// Absolute byte offset of this EBR sector in the disk image.
    pub ebr_offset: u64,
    /// Absolute LBA of this EBR sector.
    pub ebr_lba: u64,
    /// The logical partition described by this EBR.
    pub logical: PartitionEntry,
    /// Absolute LBA start of the logical partition.
    pub logical_lba_start: u64,
    /// Raw bytes of EBR entries 2 and 3 (bytes 478–509). Non-zero = slack.
    pub slack: [u8; 32],
    /// `true` when [`slack`] contains at least one non-zero byte.
    pub has_slack: bool,
}

/// Result of walking the full EBR chain.
#[derive(Debug, Clone)]
pub struct EbrChain {
    pub entries: Vec<EbrEntry>,
    /// `true` if the chain was terminated by a cycle rather than a zero next pointer.
    pub had_cycle: bool,
    /// `true` if traversal was capped by the depth limit.
    pub depth_exceeded: bool,
}

/// Maximum EBR chain depth before we stop and flag `depth_exceeded`.
const MAX_DEPTH: usize = 64;

/// Walk the EBR chain starting at the extended partition.
///
/// `ext_start_lba` is the LBA of the extended partition container entry.
/// `sector_size` is the logical sector size (typically 512).
///
/// Returns `Ok(EbrChain { entries: vec![], .. })` if the entry type is not
/// an extended partition.
pub fn walk_ebr_chain<R: Read + Seek>(
    reader: &mut R,
    ext_start_lba: u64,
    sector_size: u64,
) -> Result<EbrChain, Error> {
    let mut entries = Vec::new();
    let mut had_cycle = false;
    let mut depth_exceeded = false;

    // Track visited EBR LBAs to detect cycles.
    let mut visited = std::collections::HashSet::new();

    let mut next_ebr_lba = ext_start_lba;

    loop {
        if entries.len() >= MAX_DEPTH {
            depth_exceeded = true;
            break;
        }
        if !visited.insert(next_ebr_lba) {
            had_cycle = true;
            break;
        }

        // EBR must not point before the extended partition start.
        if next_ebr_lba < ext_start_lba {
            break;
        }
        let Some(ebr_byte_offset) = next_ebr_lba.checked_mul(sector_size) else {
            break; // byte offset overflow — corrupt image
        };
        reader.seek(SeekFrom::Start(ebr_byte_offset))?;
        let mut sector = [0u8; 512];
        if reader.read_exact(&mut sector).is_err() {
            break; // truncated disk image — terminate gracefully
        }

        // Validate boot signature.
        if sector[510] != 0x55 || sector[511] != 0xAA {
            break;
        }

        let logical_raw: &[u8; 16] = sector[446..462].try_into().unwrap();
        let next_raw: &[u8; 16] = sector[462..478].try_into().unwrap();
        let slack_bytes: [u8; 32] = sector[478..510].try_into().unwrap();

        let logical = PartitionEntry::from_bytes(logical_raw);
        let next_entry = PartitionEntry::from_bytes(next_raw);

        // Logical partition LBA is relative to this EBR sector.
        // Use saturating_add: malicious logical.lba_start cannot cause overflow panic.
        let logical_lba_start = next_ebr_lba.saturating_add(logical.lba_start as u64);

        let has_slack = slack_bytes.iter().any(|&b| b != 0);

        entries.push(EbrEntry {
            ebr_offset: ebr_byte_offset,
            ebr_lba: next_ebr_lba,
            logical,
            logical_lba_start,
            slack: slack_bytes,
            has_slack,
        });

        // Next EBR LBA is relative to the extended partition start.
        // checked_add: overflow → corrupt/adversarial chain, terminate safely.
        if next_entry.lba_start == 0 {
            break;
        }
        let Some(next_lba) = ext_start_lba.checked_add(next_entry.lba_start as u64) else {
            break; // arithmetic overflow in EBR chain — corrupt or adversarial
        };
        next_ebr_lba = next_lba;
    }

    Ok(EbrChain {
        entries,
        had_cycle,
        depth_exceeded,
    })
}