Skip to main content

ntfs_core/
lib.rs

1//! # ntfs-core
2//!
3//! A forensic-grade, from-scratch NTFS reader. It parses NTFS structures
4//! directly from any `Read + Seek` source (a raw image, an EWF/VMDK-backed
5//! `DataSource`, or an in-memory buffer) and surfaces the artifacts a forensic
6//! examiner needs — including deleted records, slack, and anti-forensic
7//! indicators that a "clean" filesystem reader is designed to hide.
8//!
9//! This is a clean, spec-first implementation (no third-party NTFS parsing
10//! dependency). Its output is cross-validated against The Sleuth Kit and the
11//! `ntfs` / `mft` crates on real disk images.
12//!
13//! ## Status
14//!
15//! Built incrementally under strict TDD. Implemented:
16//! - [`boot::BootSector`] — the Volume Boot Record (BPB / extended BPB).
17//! - [`record::MftRecordHeader`] + [`record::apply_fixup`] — FILE records and
18//!   the update-sequence-array fixup.
19//! - [`attribute::parse_attributes`] — resident and non-resident attributes.
20//! - [`standard_information`] / [`file_name`] — the two timestamp sets.
21//! - [`runlist::decode`] + [`data::read_attribute_value`] — data runs.
22//! - [`index`] — directory `$INDEX_ROOT` / INDX buffers.
23//! - [`attribute_list`] — fragmented-file extension records.
24//! - [`compress::decompress`] — LZNT1.
25//! - [`fs::NtfsFs`] — path resolution and file read over any `Read + Seek`.
26//! - [`source::OffsetReader`] — open a partition inside a whole-disk image.
27//! - [`forensic`] — Tier-2: timestomp, ADS, slack, deleted-record carving.
28//!
29//! Hardened against crafted input and exercised by `cargo-fuzz`
30//! (see `fuzz/`); the boot parser is cross-validated against The Sleuth Kit on
31//! a real disk image (see `tests/real_image.rs`).
32
33#![forbid(unsafe_code)]
34
35pub mod attribute;
36pub mod attribute_list;
37pub mod boot;
38pub mod compress;
39pub mod data;
40pub mod error;
41pub mod file_name;
42pub mod fs;
43pub mod index;
44pub mod record;
45pub mod runlist;
46pub mod source;
47pub mod carve;
48pub mod logfile;
49pub mod mftmirr;
50pub mod standard_information;
51pub mod time;
52pub mod usn;
53
54pub use attribute::{parse_attributes, Attribute, AttributeBody};
55pub use attribute_list::{parse as parse_attribute_list, AttributeListEntry};
56pub use boot::BootSector;
57pub use compress::decompress;
58pub use data::{read_attribute_value, read_runs};
59pub use error::{NtfsError, Result};
60pub use file_name::{FileName, FileReference};
61pub use fs::NtfsFs;
62pub use index::{parse_entries, parse_index_buffer, IndexEntry, IndexRoot};
63pub use record::{apply_fixup, MftRecordHeader};
64pub use runlist::{decode as decode_runlist, Run};
65pub use source::OffsetReader;
66pub use carve::{carve_mft_entries, CarvedMftEntry, MftCarvingStats};
67pub use logfile::{detect_journal_clearing, parse_logfile, LogFileSummary, RestartArea};
68pub use mftmirr::{compare_mft_mirror, MirrorComparison};
69pub use standard_information::StandardInformation;
70pub use time::Filetime;
71pub use usn::{parse_usn_record_v2, FileAttributes, UsnReason, UsnRecord};