sherlock-nsf-parser 0.1.0

Pure-Rust read-only parser for IBM/HCL Lotus Notes Storage Facility (NSF) databases. Forensic-grade, no Notes client required.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376

//! Database header (DBINFO) parsing.
//!
//! Layout per the authoritative `nsfdb_database_header.h` from libyal/
//! libnsfdb (LGPL-3.0-or-later; not vendored, fields re-declared here
//! by name). All offsets are relative to the start of DBINFO, which
//! itself starts at file offset 6 (immediately after the 6-byte file
//! header).
//!
//! ```text
//! offset  width  field
//!     0      4   format_version (ODS)
//!     4      8   database_identifier (TIMEDATE)
//!    12      2   application_version
//!    14      4   non_data_rrv_bucket_position
//!    18      4   available_non_data_rrv_identifier
//!    22      2   number_of_available_non_data_rrvs
//!    24      4   activity_log_offset
//!    28      8   bucket_modification_time (TIMEDATE)
//!    36      2   database_class
//!    38      2   database_flags
//!    40      4   bucket_descriptor_block_size
//!    44      4   bucket_descriptor_block_position (BDB)
//!    48      2   bdt_size
//!    50      4   bdt_position
//!    54      2   bdt_bitmaps
//!    56      4   data_rrv_bucket_position
//!    60      4   first_data_rrv_identifier
//!    64      4   available_data_rrv_identifier
//!    68      2   number_of_available_data_rrvs
//!    70      2   rrv_bucket_size
//!    72      2   summary_bucket_size
//!    74      2   bitmap_size
//!    76      2   allocation_granularity
//!    78      4   extention_granularity
//!    82      4   file_size (in 256-byte units)
//!    86..       (additional fields not yet consumed by this crate)
//! ```
//!
//! All multi-byte integers are little-endian.
//!
//! Empirical notes from the 17-sample corpus:
//!
//! - `bucket_descriptor_block_position` can legitimately be zero on
//!   fresh templates that have not yet been instantiated. The
//!   `data_rrv_bucket_position` is the more reliable "where data
//!   actually lives" pointer; use it to seed RRV walking.
//! - Database flag bit 0x0040 is NOT the encryption flag despite
//!   operator-forum lore. Every file in the corpus (templates and
//!   real .nsfs alike) has that bit set, and none are encrypted. The
//!   authoritative bit position for "Local Database Encryption" lives
//!   in HCL's `dbopts.h` which is not yet imported. Encryption
//!   detection is deferred to a later slice; the constant in
//!   `flags::DBFLAG_LOCAL_PROTECTED` is left as a known-uncertain
//!   placeholder with `is_database_encrypted` returning a documented
//!   "unknown" via `Option<bool>`.

use crate::detect::{identify_file_strict, FileKind};
use crate::error::NsfError;
use crate::ods::Ods;
use crate::time::Timedate;

const DBINFO_START: usize = 6;
const DBINFO_CORE_MIN: usize = 128;

/// Flag bits in DBINFO's `database_flags` u16 at offset 38. Bit
/// interpretation here is what we have verified against the 17-sample
/// corpus; entries marked `tentative` are still uncertain and not yet
/// used to drive any feature.
pub mod flags {
    /// Database is a template (.ntf semantics) rather than a regular
    /// database (.nsf). Verified empirically against the 8-template +
    /// 5-locale-template + 4-real-nsf corpus: set on every .ntf in the
    /// corpus, clear on every .nsf.
    pub const DBFLAG_TEMPLATE: u16 = 0x0010;
}

/// Parsed database header. Self-contained snapshot of DBINFO - the
/// reader does not retain a reference into the file bytes.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct DbHeader {
    /// db_header_size from the outermost 6-byte file header.
    pub db_header_size: u32,
    /// ODS version (DBINFO offset 0).
    pub ods: Ods,
    /// Database identifier (DBINFO offset 4). 8-byte TIMEDATE used as
    /// an opaque identifier.
    pub database_id: Timedate,
    /// Application-defined version (DBINFO offset 12). Free-form u16
    /// for the form designer's use.
    pub app_version: u16,
    /// File offset of the bucket holding non-data RRVs (DBINFO offset
    /// 14). Design notes, ACL notes, replication info, etc.
    pub non_data_rrv_bucket_position: u32,
    /// (next) available non-data RRV identifier (DBINFO offset 18).
    pub available_non_data_rrv_identifier: u32,
    /// Number of available non-data RRVs (DBINFO offset 22).
    pub number_of_available_non_data_rrvs: u16,
    /// Activity log offset (DBINFO offset 24).
    pub activity_log_offset: u32,
    /// Most recent bucket modification time (DBINFO offset 28).
    pub bucket_modification: Timedate,
    /// Database class (DBINFO offset 36). 2-byte identifier of what
    /// kind of database this is (mailbox / template / design / etc).
    pub database_class: u16,
    /// Database flags word (DBINFO offset 38). Use [`flags`]
    /// constants to interpret; only [`flags::DBFLAG_TEMPLATE`] is
    /// verified.
    pub database_flags: u16,
    /// Bucket Descriptor Block size (DBINFO offset 40).
    pub bucket_descriptor_block_size: u32,
    /// Bucket Descriptor Block position (DBINFO offset 44). Can be
    /// zero on freshly-instantiated templates; use
    /// [`Self::data_rrv_bucket_position`] for "where notes live"
    /// rather than this.
    pub bucket_descriptor_block_position: u32,
    /// Bucket Descriptor Table size (DBINFO offset 48).
    pub bdt_size: u16,
    /// Bucket Descriptor Table position (DBINFO offset 50).
    pub bdt_position: u32,
    /// Bucket Descriptor Table bitmaps (DBINFO offset 54).
    pub bdt_bitmaps: u16,
    /// File offset of the bucket holding data RRVs (DBINFO offset 56).
    /// THIS is the entry point for note enumeration. Non-zero on any
    /// database that contains notes.
    pub data_rrv_bucket_position: u32,
    /// First data RRV identifier (DBINFO offset 60).
    pub first_data_rrv_identifier: u32,
    /// (next) available data RRV identifier (DBINFO offset 64).
    pub available_data_rrv_identifier: u32,
    /// Number of available data RRVs (DBINFO offset 68).
    pub number_of_available_data_rrvs: u16,
    /// Size of each RRV bucket in bytes (DBINFO offset 70).
    pub rrv_bucket_size: u16,
    /// Size of each summary bucket in bytes (DBINFO offset 72).
    pub summary_bucket_size: u16,
    /// Bitmap allocation map size (DBINFO offset 74).
    pub bitmap_size: u16,
    /// Allocation granularity (DBINFO offset 76).
    pub allocation_granularity: u16,
    /// Extention granularity (DBINFO offset 78). (Spelling matches the
    /// libnsfdb header which inherited the typo from the Notes C API.)
    pub extention_granularity: u32,
    /// File size in 256-byte units (DBINFO offset 82). Multiply by 256
    /// to get the bytes the database knows about; may diverge from the
    /// OS-reported file size if the file was truncated since the
    /// header was last rewritten.
    pub file_size_pages: u32,
}

impl DbHeader {
    /// Parse the file header + DBINFO core from a byte slice containing
    /// at least the first 6 + 128 = 134 bytes of the file.
    pub fn parse(bytes: &[u8]) -> Result<Self, NsfError> {
        let file_kind = identify_file_strict(bytes)?;
        let db_header_size = match file_kind {
            FileKind::Nsf { db_header_size } => db_header_size,
            FileKind::NotNsf { reason } => {
                let _ = reason;
                return Err(NsfError::BadFileSignature { observed: [0, 0] });
            }
        };

        let required = DBINFO_START + DBINFO_CORE_MIN;
        if bytes.len() < required {
            return Err(NsfError::TooShort {
                actual: bytes.len(),
                required,
            });
        }

        let d = &bytes[DBINFO_START..DBINFO_START + DBINFO_CORE_MIN];

        // Helper closures: little-endian readers at the given DBINFO
        // offset. Keeps the field-extraction lines visually aligned with
        // the struct definition above and lets the optimizer fold the
        // bounds checks (we asserted DBINFO_CORE_MIN above).
        let u16_at = |o: usize| u16::from_le_bytes([d[o], d[o + 1]]);
        let u32_at = |o: usize| u32::from_le_bytes([d[o], d[o + 1], d[o + 2], d[o + 3]]);

        let ods_raw = u32_at(0);
        let database_id = Timedate::from_bytes(&d[4..12])?;
        let app_version = u16_at(12);
        let non_data_rrv_bucket_position = u32_at(14);
        let available_non_data_rrv_identifier = u32_at(18);
        let number_of_available_non_data_rrvs = u16_at(22);
        let activity_log_offset = u32_at(24);
        let bucket_modification = Timedate::from_bytes(&d[28..36])?;
        let database_class = u16_at(36);
        let database_flags = u16_at(38);
        let bucket_descriptor_block_size = u32_at(40);
        let bucket_descriptor_block_position = u32_at(44);
        let bdt_size = u16_at(48);
        let bdt_position = u32_at(50);
        let bdt_bitmaps = u16_at(54);
        let data_rrv_bucket_position = u32_at(56);
        let first_data_rrv_identifier = u32_at(60);
        let available_data_rrv_identifier = u32_at(64);
        let number_of_available_data_rrvs = u16_at(68);
        let rrv_bucket_size = u16_at(70);
        let summary_bucket_size = u16_at(72);
        let bitmap_size = u16_at(74);
        let allocation_granularity = u16_at(76);
        let extention_granularity = u32_at(78);
        let file_size_pages = u32_at(82);

        Ok(Self {
            db_header_size,
            ods: Ods::new(ods_raw),
            database_id,
            app_version,
            non_data_rrv_bucket_position,
            available_non_data_rrv_identifier,
            number_of_available_non_data_rrvs,
            activity_log_offset,
            bucket_modification,
            database_class,
            database_flags,
            bucket_descriptor_block_size,
            bucket_descriptor_block_position,
            bdt_size,
            bdt_position,
            bdt_bitmaps,
            data_rrv_bucket_position,
            first_data_rrv_identifier,
            available_data_rrv_identifier,
            number_of_available_data_rrvs,
            rrv_bucket_size,
            summary_bucket_size,
            bitmap_size,
            allocation_granularity,
            extention_granularity,
            file_size_pages,
        })
    }

    /// True if the database is flagged as a template (.ntf semantics).
    /// Verified empirically against the corpus: set on every .ntf,
    /// clear on every .nsf.
    pub fn is_template(&self) -> bool {
        self.database_flags & flags::DBFLAG_TEMPLATE != 0
    }

    /// Encryption detection: NOT IMPLEMENTED in v0.1.
    ///
    /// The libnsfdb spec leaves the encryption-flag bit position as
    /// TODO. The widely-cited 0x0040 value does NOT match the corpus
    /// (every sample has that bit set; none are encrypted). The
    /// authoritative bit lives in HCL's `dbopts.h` which we have not
    /// yet imported.
    ///
    /// Returns `None` until detection is reliable. The viewer surfaces
    /// this as "encryption detection deferred" rather than reporting
    /// false negatives.
    pub fn is_database_encrypted(&self) -> Option<bool> {
        None
    }

    /// Convenience: file-size estimate from the header's
    /// 256-byte-increment field. Multiply by 256.
    pub fn file_size_from_header_bytes(&self) -> u64 {
        (self.file_size_pages as u64) * 256
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Build a minimal-but-valid header for unit tests. Values are
    /// chosen to be unambiguous (no zeros that overlap with field
    /// defaults).
    fn synthetic_header(ods: u32, flags: u16) -> Vec<u8> {
        let mut buf = vec![0u8; 256];
        // File header: LSIG + db_header_size = 1024.
        buf[0] = 0x1A;
        buf[1] = 0x00;
        buf[2..6].copy_from_slice(&1024u32.to_le_bytes());
        // DBINFO @ file offset 6.
        // ODS at DBINFO offset 0 (file 6).
        buf[6..10].copy_from_slice(&ods.to_le_bytes());
        // database_flags at DBINFO offset 38 (file 44).
        buf[44..46].copy_from_slice(&flags.to_le_bytes());
        // bucket_descriptor_block_position at DBINFO offset 44 (file 50).
        buf[50..54].copy_from_slice(&0x0000_4000u32.to_le_bytes());
        // data_rrv_bucket_position at DBINFO offset 56 (file 62).
        buf[62..66].copy_from_slice(&0x0000_2af0u32.to_le_bytes());
        // file_size at DBINFO offset 82 (file 88).
        buf[88..92].copy_from_slice(&5000u32.to_le_bytes());
        buf
    }

    #[test]
    fn parses_synthetic_ods_53_unencrypted() {
        let buf = synthetic_header(53, 0);
        let h = DbHeader::parse(&buf).unwrap();
        assert_eq!(h.db_header_size, 1024);
        assert_eq!(h.ods.raw, 53);
        assert!(!h.is_template());
        assert!(h.is_database_encrypted().is_none(), "encryption detection deferred");
        assert_eq!(h.bucket_descriptor_block_position, 0x0000_4000);
        assert_eq!(h.data_rrv_bucket_position, 0x0000_2af0);
        assert_eq!(h.file_size_pages, 5000);
        assert_eq!(h.file_size_from_header_bytes(), 5000 * 256);
    }

    #[test]
    fn flags_template_decodes_correctly() {
        let buf = synthetic_header(53, flags::DBFLAG_TEMPLATE);
        let h = DbHeader::parse(&buf).unwrap();
        assert!(h.is_template());
    }

    #[test]
    fn rejects_bad_magic() {
        let mut buf = synthetic_header(53, 0);
        buf[0] = 0xDE;
        buf[1] = 0xAD;
        let err = DbHeader::parse(&buf).unwrap_err();
        assert!(matches!(err, NsfError::BadFileSignature { .. }));
    }

    #[test]
    fn rejects_too_short_for_dbinfo() {
        let buf: Vec<u8> = vec![0x1A, 0x00, 0x00, 0x04, 0x00, 0x00];
        let err = DbHeader::parse(&buf).unwrap_err();
        assert!(matches!(err, NsfError::TooShort { .. }));
    }

    #[test]
    fn ods_supported_check_works_via_header() {
        let buf_modern = synthetic_header(53, 0);
        let h_modern = DbHeader::parse(&buf_modern).unwrap();
        assert!(h_modern.ods.is_supported_for_enumeration());

        let buf_legacy = synthetic_header(17, 0);
        let h_legacy = DbHeader::parse(&buf_legacy).unwrap();
        assert!(!h_legacy.ods.is_supported_for_enumeration());
    }

    #[test]
    fn parses_canonical_comparedbs_ntf_header_bytes() {
        // First 96 bytes of comparedbs.ntf from the corpus. Pinned here
        // so any future regression in field-offset arithmetic is
        // immediately visible. Generated by xxd of the real file.
        #[rustfmt::skip]
        let bytes: &[u8] = &[
            0x1a, 0x00, 0x00, 0x04, 0x00, 0x00, 0x34, 0x00,
            0x00, 0x00, 0xa9, 0xf4, 0x61, 0x00, 0x0c, 0x88,
            0x25, 0x85, 0x00, 0x00, 0xe0, 0x03, 0x00, 0x00,
            0xf6, 0x03, 0x00, 0x00, 0x40, 0x01, 0x00, 0x00,
            0x00, 0x00, 0x3f, 0x08, 0x62, 0x00, 0x0c, 0x88,
            0x25, 0x00, 0x04, 0xff, 0x50, 0x42, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xf0, 0x2a,
            0x00, 0x00, 0xf6, 0x08, 0x00, 0x00, 0x5a, 0x09,
            0x00, 0x00, 0xe3, 0x01, 0x00, 0x10, 0x00, 0x20,
            0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
            0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        ];
        // Pad to the DBINFO_CORE_MIN size with zeros (rest is unused).
        let mut buf = bytes.to_vec();
        buf.resize(256, 0);
        let h = DbHeader::parse(&buf).unwrap();
        // ODS 52 = Notes 9.0.1.
        assert_eq!(h.ods.raw, 52);
        // Template flag set (.ntf).
        assert!(h.is_template(), "comparedbs.ntf flags = 0x{:04X}", h.database_flags);
        // BDB is genuinely zero on this template; data RRV is at 0x2af0.
        assert_eq!(h.bucket_descriptor_block_position, 0);
        assert_eq!(h.data_rrv_bucket_position, 0x2af0);
        // File size 0x3000 pages = 0x300000 = 3 MB (matches actual 3.1 MB).
        assert_eq!(h.file_size_pages, 0x3000);
        // RRV bucket size = 0x1000 = 4 KB pages, the modern Domino default.
        assert_eq!(h.rrv_bucket_size, 0x1000);
    }
}