ntfs-forensic

Forensic anomaly auditor for NTFS — turns the artifacts a clean reader hides (timestomping, alternate data streams, deleted MFT records, record slack) into graded forensicnomicon::report::Findings via the Observation trait, built on ntfs-core.

use ntfs_forensic::audit_record; // -> Vec<Anomaly>; an.to_finding(source) for a canonical Finding

Codes: NTFS-TIMESTOMP (High), NTFS-ADS / NTFS-SLACK-RESIDUE (Low), NTFS-DELETED-RECORD (Info).

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd