Expand description
§mbr-partition-forensic
Forensic-grade Master Boot Record (MBR) analyzer. Goes beyond partition enumeration to surface structural anomalies, slack-space content, anti-forensic indicators, and cross-field inconsistencies that other MBR crates silently ignore.
The pure on-disk parser lives in the sibling mbr crate
(mbr-partition-core); this crate layers anomaly detection on top and
re-exports every parser type so callers need only one dependency.
§Entry points
use mbr_partition_forensic::{parse_mbr_sector, analyse};
use std::fs::File;
// Pure parsing from a 512-byte buffer (no I/O required):
let buf = [0u8; 512];
let sector = parse_mbr_sector(&buf)?;
// Full forensic analysis from a seekable reader:
let mut f = File::open("disk.img")?;
let analysis = analyse(&mut f, 1 << 30)?;
for anomaly in &analysis.anomalies {
println!("[{:?}] {}", anomaly.severity, anomaly.note);
}Re-exports§
pub use findings::Anomaly;pub use findings::AnomalyKind;pub use findings::MbrAnalysis;pub use findings::PartitionSummary;pub use gap::Gap;pub use provenance::Alignment;pub use provenance::PartitioningEra;
Modules§
- boot_
code - Boot code identification by fingerprinting the first 446 bytes of the MBR.
- bootkit
- Known boot-sector-malware marker detection.
- carve
- File-signature carving and string extraction over raw byte regions.
- disk_
signature - NT disk-signature (offset 440) cross-disk analysis.
- ebr
- Extended Boot Record (EBR) chain traversal and forensic inspection.
- entropy
- Shannon entropy over byte slices.
- findings
- Forensic finding types: anomalies, severity, and the top-level analysis result.
- gap
- Unpartitioned LBA space analysis.
- gpt
- GPT/MBR cross-validation primitives.
- partition
- MBR partition entry types and partition-type-code semantics.
- provenance
- Partitioner / era attribution from partition-table geometry.
- signature
- Filesystem magic-byte detection from the first sector of a partition.
- vbr
- Volume Boot Record (VBR) / BIOS Parameter Block parsing.
- wipe
- Wipe-pattern classification for raw byte regions.
Structs§
- Analyse
Options - Options controlling
analyse_with_options. - Chs
- Decoded CHS (Cylinder-Head-Sector) address.
- EbrChain
- Result of walking the full EBR chain.
- EbrEntry
- A single link in the EBR chain.
- MbrSector
- A parsed 512-byte MBR sector.
- Partition
Entry - A single 16-byte primary partition table entry.
- Signature
Collision - A set of disks that share one non-zero NT disk signature.
- Type
Code - Wrapper around an MBR partition type byte with semantic helpers.
Enums§
- Boot
Code Id - Identity of the boot code in the first 446 bytes of the MBR.
- Detected
Fs - Filesystem type detected from a partition’s first-sector bytes.
- Error
- Crate-level error type.
- Partition
Family - High-level classification of a partition type.
- Severity
- The canonical 5-level severity scale, shared across every SecurityRonin
analyzer via
forensicnomicon::report. Severity of a forensic finding (Info<Low<Medium<High<Critical).
Functions§
- analyse
- Perform a full forensic analysis of an MBR-partitioned disk image.
- analyse_
with_ options - Like
analyse, but with explicitAnalyseOptions— e.g. to force a 4Kn (4096-byte) logical sector size for an Advanced Format disk. - find_
signature_ collisions - Find all NT disk-signature collisions across
signatures. - parse_
mbr_ sector - Parse a 512-byte MBR sector.