mbr-forensic 0.2.1

Forensic MBR parser — structure, anomaly detection, gap analysis, slack-space carving, and filesystem fingerprinting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

//! Wipe-pattern classification for raw byte regions.
//!
//! Disk-wiping tools overwrite space with characteristic fills: all-zero,
//! all-`0xFF`, a single repeated byte, an alternating two-byte pattern
//! (`0x55`/`0xAA`), or pseudo-random data. On a static image only the final
//! pass survives, but that pass still betrays a deliberate wipe — an
//! anti-forensic / destruction trace. This module classifies a region's fill so
//! the pipeline can distinguish *deliberately overwritten* space from ordinary
//! unallocated (zero) space.

use crate::entropy::{self, HIGH_ENTROPY_THRESHOLD};

/// The dominant fill pattern of a byte region.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[cfg_attr(feature = "serde", derive(serde::Serialize))]
pub enum FillPattern {
    /// Entirely `0x00` — ordinary unallocated space (not a deliberate-wipe signal).
    Zeros,
    /// Entirely `0xFF`.
    Ones,
    /// Entirely one repeated byte value (other than `0x00` / `0xFF`).
    Uniform(u8),
    /// A repeating two-byte alternation `a, b, a, b, …` with `a != b`.
    Alternating(u8, u8),
    /// Near-maximal Shannon entropy — pseudo-random or encrypted fill.
    HighEntropy,
    /// No dominant pattern — ordinary structured data.
    Mixed,
}

impl FillPattern {
    /// `true` when this pattern is the signature of a *deliberate* overwrite.
    ///
    /// All-zero space is excluded: it is the default state of unallocated
    /// sectors and carries no destruction signal on its own.
    #[must_use]
    pub fn is_deliberate_wipe(self) -> bool {
        matches!(
            self,
            FillPattern::Ones | FillPattern::Uniform(_) | FillPattern::Alternating(_, _)
        )
    }

    /// Short human-readable label, e.g. `"all 0xFF"` or `"alternating 0x55/0xAA"`.
    #[must_use]
    pub fn label(self) -> String {
        match self {
            FillPattern::Zeros => "all 0x00".to_string(),
            FillPattern::Ones => "all 0xFF".to_string(),
            FillPattern::Uniform(b) => format!("uniform {b:#04X}"),
            FillPattern::Alternating(a, b) => format!("alternating {a:#04X}/{b:#04X}"),
            FillPattern::HighEntropy => "high-entropy (random/encrypted)".to_string(),
            FillPattern::Mixed => "mixed".to_string(),
        }
    }
}

/// Classify the dominant fill pattern of `data`.
///
/// An empty slice classifies as [`FillPattern::Mixed`] (nothing to judge).
#[must_use]
pub fn classify(data: &[u8]) -> FillPattern {
    if data.is_empty() {
        return FillPattern::Mixed;
    }

    let first = data[0];
    if data.iter().all(|&b| b == first) {
        return match first {
            0x00 => FillPattern::Zeros,
            0xFF => FillPattern::Ones,
            other => FillPattern::Uniform(other),
        };
    }

    if data.len() >= 2 {
        let (a, b) = (data[0], data[1]);
        if a != b
            && data
                .iter()
                .enumerate()
                .all(|(i, &x)| x == if i % 2 == 0 { a } else { b })
        {
            return FillPattern::Alternating(a, b);
        }
    }

    if entropy::shannon(data) > HIGH_ENTROPY_THRESHOLD {
        return FillPattern::HighEntropy;
    }

    FillPattern::Mixed
}