Skip to main content

gpt_forensic/
lib.rs

1//! # gpt-forensic
2//!
3//! Forensic-grade GUID Partition Table (GPT) parser. A sibling to
4//! [`mbr-forensic`](https://github.com/SecurityRonin/mbr-forensic): where that
5//! crate parses the legacy MBR, this one parses the GPT that a protective MBR
6//! advertises — validating the header and partition-array **CRC32** integrity,
7//! reconciling the **primary and backup** GPT (divergence is a strong tampering
8//! signal), and surfacing structural anomalies.
9//!
10//! Like its sibling, it is a pure `Read + Seek` library with no image-format
11//! decoding of its own — compose it with the container crates (`ewf`, `vhd`,
12//! `vmdk`, …) for E01/VHD/VMDK input.
13
14pub mod collision;
15pub mod crc32;
16pub mod entropy;
17pub mod entry;
18pub mod findings;
19pub mod guid;
20pub mod header;
21pub mod mbr;
22pub mod sha256;
23
24mod analyse;
25
26pub use analyse::{analyse, analyse_with_options, AnalyseOptions};
27pub use entry::GptEntry;
28pub use findings::{Anomaly, AnomalyKind, GptAnalysis, Location, Severity};
29pub use guid::Guid;
30pub use header::GptHeader;
31
32/// Crate-level error type.
33#[derive(Debug, thiserror::Error)]
34pub enum Error {
35    /// The GPT header signature was not `"EFI PART"`.
36    #[error("invalid GPT header signature")]
37    BadSignature,
38    /// A buffer was shorter than the structure it was asked to hold.
39    #[error("buffer too short: need {need} bytes, got {got}")]
40    TooShort { need: usize, got: usize },
41    /// I/O failure while reading the disk image.
42    #[error("I/O error: {0}")]
43    Io(#[from] std::io::Error),
44}