Crate mbr_forensic 

mbr-forensic

Forensic-grade Master Boot Record (MBR) parser. Goes beyond partition enumeration to surface structural anomalies, slack-space content, anti-forensic indicators, and cross-field inconsistencies that other MBR crates silently ignore.

Entry points

use mbr_forensic::{parse_mbr_sector, analyse};
use std::fs::File;

// Pure parsing from a 512-byte buffer (no I/O required):
let buf = [0u8; 512];
let sector = parse_mbr_sector(&buf)?;

// Full forensic analysis from a seekable reader:
let mut f = File::open("disk.img")?;
let analysis = analyse(&mut f, 1 << 30)?;
for anomaly in &analysis.anomalies {
    println!("[{:?}] {}", anomaly.severity, anomaly.note);
}

Re-exports

pub use boot_code::BootCodeId;

pub use disk_signature::find_signature_collisions;

pub use disk_signature::SignatureCollision;

pub use ebr::EbrChain;

pub use ebr::EbrEntry;

pub use findings::Anomaly;

pub use findings::AnomalyKind;

pub use findings::MbrAnalysis;

pub use findings::PartitionSummary;

pub use gap::Gap;

pub use mbr::parse_mbr_sector;

pub use mbr::MbrSector;

pub use partition::Chs;

pub use partition::PartitionEntry;

pub use partition::PartitionFamily;

pub use partition::TypeCode;

pub use provenance::Alignment;

pub use provenance::PartitioningEra;

pub use signature::DetectedFs;

Modules

boot_code

Boot code identification by fingerprinting the first 446 bytes of the MBR.

bootkit

Known boot-sector-malware marker detection.

carve

File-signature carving and string extraction over raw byte regions.

disk_signature

NT disk-signature (offset 440) cross-disk analysis.

ebr

Extended Boot Record (EBR) chain traversal and forensic inspection.

entropy

Shannon entropy over byte slices.

findings

Forensic finding types: anomalies, severity, and the top-level analysis result.

gap

Unpartitioned LBA space analysis.

gpt

GPT/MBR cross-validation primitives.

mbr

512-byte MBR sector parsing — pure &[u8] interface, no I/O.

partition

MBR partition entry types and partition-type-code semantics.

provenance

Partitioner / era attribution from partition-table geometry.

signature

Filesystem magic-byte detection from the first sector of a partition.

vbr

Volume Boot Record (VBR) / BIOS Parameter Block parsing.

wipe

Wipe-pattern classification for raw byte regions.

Structs

AnalyseOptions

Options controlling analyse_with_options.

Enums

Error

Crate-level error type.

Severity

The canonical 5-level severity scale, shared across every SecurityRonin analyzer via forensicnomicon::report. Severity of a forensic finding (Info < Low < Medium < High < Critical).

Functions

analyse

Perform a full forensic analysis of an MBR-partitioned disk image.

analyse_with_options

Like analyse, but with explicit AnalyseOptions — e.g. to force a 4Kn (4096-byte) logical sector size for an Advanced Format disk.