Skip to main content

mbr_forensic/
lib.rs

1//! # mbr-forensic
2//!
3//! Forensic-grade Master Boot Record (MBR) parser. Goes beyond partition
4//! enumeration to surface structural anomalies, slack-space content,
5//! anti-forensic indicators, and cross-field inconsistencies that other
6//! MBR crates silently ignore.
7//!
8//! ## Entry points
9//!
10//! ```no_run
11//! use mbr_forensic::{parse_mbr_sector, analyse};
12//! use std::fs::File;
13//!
14//! // Pure parsing from a 512-byte buffer (no I/O required):
15//! let buf = [0u8; 512];
16//! let sector = parse_mbr_sector(&buf)?;
17//!
18//! // Full forensic analysis from a seekable reader:
19//! let mut f = File::open("disk.img")?;
20//! let analysis = analyse(&mut f, 1 << 30)?;
21//! for anomaly in &analysis.anomalies {
22//!     println!("[{:?}] {}", anomaly.severity, anomaly.note);
23//! }
24//! # Ok::<(), mbr_forensic::Error>(())
25//! ```
26
27pub mod boot_code;
28pub mod ebr;
29pub mod entropy;
30pub mod findings;
31pub mod gap;
32pub mod mbr;
33pub mod partition;
34pub mod signature;
35
36mod analyse;
37
38pub use analyse::analyse;
39pub use boot_code::BootCodeId;
40pub use ebr::{EbrChain, EbrEntry};
41pub use findings::{Anomaly, AnomalyKind, MbrAnalysis, PartitionSummary, Severity};
42pub use gap::Gap;
43pub use mbr::{parse_mbr_sector, MbrSector};
44pub use partition::{Chs, PartitionEntry, PartitionFamily, TypeCode};
45pub use signature::DetectedFs;
46
47/// Crate-level error type.
48#[derive(Debug, thiserror::Error)]
49pub enum Error {
50    #[error("sector too short: expected 512 bytes, got {0}")]
51    TooShort(usize),
52    #[error("invalid MBR boot signature: expected 0x55AA, got 0x{0:04X}")]
53    BadSignature(u16),
54    #[error("I/O error: {0}")]
55    Io(#[from] std::io::Error),
56}