Expand description
§gpt-forensic
Forensic-grade GUID Partition Table (GPT) parser. A sibling to
mbr-forensic: where that
crate parses the legacy MBR, this one parses the GPT that a protective MBR
advertises — validating the header and partition-array CRC32 integrity,
reconciling the primary and backup GPT (divergence is a strong tampering
signal), and surfacing structural anomalies.
Like its sibling, it is a pure Read + Seek library with no image-format
decoding of its own — compose it with the container crates (ewf, vhd,
vmdk, …) for E01/VHD/VMDK input.
Re-exports§
pub use entry::GptEntry;pub use findings::Anomaly;pub use findings::AnomalyKind;pub use findings::GptAnalysis;pub use findings::Location;pub use guid::Guid;pub use header::GptHeader;
Modules§
- collision
- Cross-disk GPT disk-GUID collision detection.
- crc32
- CRC-32/ISO-HDLC — the checksum GPT uses for its header and partition array.
- entropy
- Shannon entropy over byte slices.
- entry
- GPT partition entry parsing.
- findings
- GPT forensic findings: severity, anomalies, and the analysis result.
- guid
- GPT GUID (mixed-endian) parsing and display.
- header
- GPT header (LBA 1 / backup) parsing and self-CRC validation.
- mbr
- Minimal legacy/protective MBR partition-entry reader (LBA 0).
- sha256
- SHA-256 (FIPS 180-4) — dependency-free, for evidence/chain-of-custody hashing.
Structs§
- Analyse
Options - Options controlling
analyse_with_options.
Enums§
- Error
- Crate-level error type.
- Severity
- The canonical 5-level severity scale, shared across every SecurityRonin
analyzer via
forensicnomicon::report. Severity of a forensic finding (Info<Low<Medium<High<Critical).
Functions§
- analyse
- Perform a full forensic analysis of a GPT-partitioned disk image.
- analyse_
with_ options - Like
analyse, but with explicitAnalyseOptions(e.g. to force the sector size when the header magic is corrupt).