Crate ntfs_core 

ntfs-core

A forensic-grade, from-scratch NTFS reader. It parses NTFS structures directly from any Read + Seek source (a raw image, an EWF/VMDK-backed DataSource, or an in-memory buffer) and surfaces the artifacts a forensic examiner needs — including deleted records, slack, and anti-forensic indicators that a “clean” filesystem reader is designed to hide.

This is a clean, spec-first implementation (no third-party NTFS parsing dependency). Its output is cross-validated against The Sleuth Kit and the ntfs / mft crates on real disk images.

Status

Built incrementally under strict TDD. Implemented:

• boot::BootSector — the Volume Boot Record (BPB / extended BPB).
• record::MftRecordHeader + record::apply_fixup — FILE records and the update-sequence-array fixup.
• attribute::parse_attributes — resident and non-resident attributes.
• standard_information / file_name — the two timestamp sets.
• runlist::decode + data::read_attribute_value — data runs.
• index — directory $INDEX_ROOT / INDX buffers.
• attribute_list — fragmented-file extension records.
• compress::decompress — LZNT1.
• fs::NtfsFs — path resolution and file read over any Read + Seek.
• source::OffsetReader — open a partition inside a whole-disk image.
• [forensic] — Tier-2: timestomp, ADS, slack, deleted-record carving.

Hardened against crafted input and exercised by cargo-fuzz (see fuzz/); the boot parser is cross-validated against The Sleuth Kit on a real disk image (see tests/real_image.rs).

Re-exports

pub use attribute::parse_attributes;

pub use attribute::Attribute;

pub use attribute::AttributeBody;

pub use attribute_list::parse as parse_attribute_list;

pub use attribute_list::AttributeListEntry;

pub use boot::BootSector;

pub use compress::decompress;

pub use data::read_attribute_value;

pub use data::read_runs;

pub use error::NtfsError;

pub use error::Result;

pub use file_name::FileName;

pub use file_name::FileReference;

pub use fs::NtfsFs;

pub use index::parse_entries;

pub use index::parse_index_buffer;

pub use index::IndexEntry;

pub use index::IndexRoot;

pub use record::apply_fixup;

pub use record::MftRecordHeader;

pub use runlist::decode as decode_runlist;

pub use runlist::Run;

pub use source::OffsetReader;

pub use standard_information::StandardInformation;

pub use time::Filetime;

Modules

attribute

MFT attribute walking: the common attribute header plus the resident and non-resident bodies.

attribute_list

$ATTRIBUTE_LIST (type 0x20) — present when a file’s attributes don’t fit in one MFT record. Each entry points at the extension record (a file reference) holding one of the file’s attributes, with its type, starting VCN, id, and name. Following these references is how a heavily-fragmented file’s attributes are gathered.

boot

NTFS Volume Boot Record ($Boot / VBR).

compress

LZNT1 decompression — the algorithm NTFS uses for compressed attributes.

data

Reconstructing an attribute’s bytes — resident inline, or non-resident by following its runlist across the volume.

error

Crate-wide error type.

file_name

$FILE_NAME (type 0x30) — a name link for a file: its parent directory reference, a second set of MACE timestamps, the file sizes, flags, and the name itself in one of four namespaces.

fs

NtfsFs — the top-level reader that ties every layer together over a Read + Seek volume.

index

Directory index B-tree: $INDEX_ROOT (resident) and the INDX buffers of $INDEX_ALLOCATION (non-resident).

record

MFT file-record-segment header parsing and update-sequence-array (fixup).

runlist

Data-run (runlist) decoding.

source

A bounded sub-reader that re-bases a partition to offset zero.

standard_information

$STANDARD_INFORMATION (type 0x10) — the core file metadata: the four MACE timestamps, DOS attribute flags, and (NTFS 3.0+) the security id and the $UsnJrnl update sequence number.

time

Windows FILETIME — the timestamp format used throughout NTFS.