Skip to main content

mbr_partition_forensic/
lib.rs

1//! # mbr-partition-forensic
2//!
3//! Forensic-grade Master Boot Record (MBR) analyzer. Goes beyond partition
4//! enumeration to surface structural anomalies, slack-space content,
5//! anti-forensic indicators, and cross-field inconsistencies that other MBR
6//! crates silently ignore.
7//!
8//! The pure on-disk parser lives in the sibling [`mbr`] crate
9//! (`mbr-partition-core`); this crate layers anomaly detection on top and
10//! re-exports every parser type so callers need only one dependency.
11//!
12//! ## Entry points
13//!
14//! ```no_run
15//! use mbr_partition_forensic::{parse_mbr_sector, analyse};
16//! use std::fs::File;
17//!
18//! // Pure parsing from a 512-byte buffer (no I/O required):
19//! let buf = [0u8; 512];
20//! let sector = parse_mbr_sector(&buf)?;
21//!
22//! // Full forensic analysis from a seekable reader:
23//! let mut f = File::open("disk.img")?;
24//! let analysis = analyse(&mut f, 1 << 30)?;
25//! for anomaly in &analysis.anomalies {
26//!     println!("[{:?}] {}", anomaly.severity, anomaly.note);
27//! }
28//! # Ok::<(), mbr_partition_forensic::Error>(())
29//! ```
30#![cfg_attr(test, allow(clippy::unwrap_used, clippy::expect_used))]
31
32// Re-export the parser layer so the analyzer presents a single crate surface.
33// Existing call sites such as `mbr_partition_forensic::partition::TypeCode` and
34// `mbr_partition_forensic::Error` keep working against the parser types.
35pub use mbr::{boot_code, carve, disk_signature, ebr, gpt, partition, signature, vbr, Error};
36
37pub mod bootkit;
38pub mod entropy;
39pub mod findings;
40pub mod gap;
41pub mod provenance;
42pub mod wipe;
43
44mod analyse;
45mod diag;
46
47pub use analyse::{analyse, analyse_with_options, AnalyseOptions};
48pub use boot_code::BootCodeId;
49pub use disk_signature::{find_signature_collisions, SignatureCollision};
50pub use ebr::{EbrChain, EbrEntry};
51pub use findings::{Anomaly, AnomalyKind, MbrAnalysis, PartitionSummary, Severity};
52pub use gap::Gap;
53pub use mbr::{parse_mbr_sector, MbrSector};
54pub use partition::{Chs, PartitionEntry, PartitionFamily, TypeCode};
55pub use provenance::{Alignment, PartitioningEra};
56pub use signature::DetectedFs;