Expand description
§mbr-forensic
Forensic-grade Master Boot Record (MBR) parser. Goes beyond partition enumeration to surface structural anomalies, slack-space content, anti-forensic indicators, and cross-field inconsistencies that other MBR crates silently ignore.
§Entry points
use mbr_forensic::{parse_mbr_sector, analyse};
use std::fs::File;
// Pure parsing from a 512-byte buffer (no I/O required):
let buf = [0u8; 512];
let sector = parse_mbr_sector(&buf)?;
// Full forensic analysis from a seekable reader:
let mut f = File::open("disk.img")?;
let analysis = analyse(&mut f, 1 << 30)?;
for anomaly in &analysis.anomalies {
println!("[{:?}] {}", anomaly.severity, anomaly.note);
}Re-exports§
pub use boot_code::BootCodeId;pub use ebr::EbrChain;pub use ebr::EbrEntry;pub use findings::Anomaly;pub use findings::AnomalyKind;pub use findings::MbrAnalysis;pub use findings::PartitionSummary;pub use findings::Severity;pub use gap::Gap;pub use mbr::parse_mbr_sector;pub use mbr::MbrSector;pub use partition::Chs;pub use partition::PartitionEntry;pub use partition::PartitionFamily;pub use partition::TypeCode;pub use signature::DetectedFs;
Modules§
- boot_
code - Boot code identification by fingerprinting the first 446 bytes of the MBR.
- ebr
- Extended Boot Record (EBR) chain traversal and forensic inspection.
- entropy
- Shannon entropy over byte slices.
- findings
- Forensic finding types: anomalies, severity, and the top-level analysis result.
- gap
- Unpartitioned LBA space analysis.
- mbr
- 512-byte MBR sector parsing — pure
&[u8]interface, no I/O. - partition
- MBR partition entry types and partition-type-code semantics.
- signature
- Filesystem magic-byte detection from the first sector of a partition.
Enums§
- Error
- Crate-level error type.
Functions§
- analyse
- Perform a full forensic analysis of an MBR-partitioned disk image.