mbr_forensic/boot_code.rs
1//! Boot code identification by fingerprinting the first 446 bytes of the MBR.
2
3/// Identity of the boot code in the first 446 bytes of the MBR.
4#[derive(Debug, Clone, Copy, PartialEq, Eq)]
5#[cfg_attr(feature = "serde", derive(serde::Serialize))]
6pub enum BootCodeId {
7 /// Windows Vista / Server 2008 MBR boot code.
8 WindowsVista,
9 /// Windows 7 / Server 2008 R2 and later MBR boot code.
10 Windows7Plus,
11 /// GRUB Legacy (stage1).
12 GrubLegacy,
13 /// GRUB 2 boot code.
14 Grub2,
15 /// Syslinux / EXTLINUX MBR.
16 Syslinux,
17 /// All 446 bytes are zero — likely wiped or freshly zeroed.
18 AllZeros,
19 /// All 446 bytes are `0xFF` — factory-erased flash or deliberate wipe.
20 AllOnes,
21 /// Unrecognised boot code.
22 Unknown,
23}
24
25/// Identify the boot code occupying `code[0..446]`.
26///
27/// All-zero / all-`0xFF` regions are classified locally; recognised bootloaders
28/// are matched against the [`forensicnomicon::boot_signatures`] knowledge base
29/// (the single source of truth for the fingerprint patterns).
30#[must_use]
31pub fn identify(code: &[u8; 446]) -> BootCodeId {
32 if code.iter().all(|&b| b == 0x00) {
33 return BootCodeId::AllZeros;
34 }
35 if code.iter().all(|&b| b == 0xFF) {
36 return BootCodeId::AllOnes;
37 }
38 match forensicnomicon::boot_signatures::identify_loader(code) {
39 Some("Windows 7+") => BootCodeId::Windows7Plus,
40 Some("Windows Vista") => BootCodeId::WindowsVista,
41 Some("Syslinux") => BootCodeId::Syslinux,
42 Some("GRUB Legacy") => BootCodeId::GrubLegacy,
43 Some("GRUB 2") => BootCodeId::Grub2,
44 _ => BootCodeId::Unknown,
45 }
46}