Skip to main content

ntfs_core/
lib.rs

1//! # ntfs-core
2//!
3//! A forensic-grade, from-scratch NTFS reader. It parses NTFS structures
4//! directly from any `Read + Seek` source (a raw image, an EWF/VMDK-backed
5//! `DataSource`, or an in-memory buffer) and surfaces the artifacts a forensic
6//! examiner needs — including deleted records, slack, and anti-forensic
7//! indicators that a "clean" filesystem reader is designed to hide.
8//!
9//! This is a clean, spec-first implementation (no third-party NTFS parsing
10//! dependency). Its output is cross-validated against The Sleuth Kit and the
11//! `ntfs` / `mft` crates on real disk images.
12//!
13//! ## Status
14//!
15//! Built incrementally under strict TDD. Implemented:
16//! - [`boot::BootSector`] — the Volume Boot Record (BPB / extended BPB).
17//! - [`record::MftRecordHeader`] + [`record::apply_fixup`] — FILE records and
18//!   the update-sequence-array fixup.
19//! - [`attribute::parse_attributes`] — resident and non-resident attributes.
20//! - [`standard_information`] / [`file_name`] — the two timestamp sets.
21//! - [`runlist::decode`] + [`data::read_attribute_value`] — data runs.
22//! - [`index`] — directory `$INDEX_ROOT` / INDX buffers.
23//! - [`attribute_list`] — fragmented-file extension records.
24//! - [`compress::decompress`] — LZNT1.
25//! - [`fs::NtfsFs`] — path resolution and file read over any `Read + Seek`.
26//! - [`source::OffsetReader`] — open a partition inside a whole-disk image.
27//! - `ntfs-forensic` (sibling crate) — Tier-2: timestomp, ADS, slack, deleted-record carving.
28//!
29//! Hardened against crafted input and exercised by `cargo-fuzz`
30//! (see `fuzz/`); the boot parser is cross-validated against The Sleuth Kit on
31//! a real disk image (see `tests/real_image.rs`).
32
33#![forbid(unsafe_code)]
34#![cfg_attr(test, allow(clippy::unwrap_used, clippy::expect_used))]
35
36pub mod attribute;
37pub mod attribute_list;
38pub mod boot;
39mod bytes;
40pub mod carve;
41pub mod compress;
42pub mod data;
43pub mod error;
44pub mod file_name;
45pub mod fs;
46pub mod index;
47pub mod logfile;
48pub mod mft;
49pub mod mftmirr;
50pub mod record;
51pub mod refs;
52pub mod rewind;
53pub mod runlist;
54pub mod source;
55pub mod standard_information;
56pub mod time;
57pub mod usn;
58
59pub use attribute::{parse_attributes, Attribute, AttributeBody};
60pub use attribute_list::{parse as parse_attribute_list, AttributeListEntry};
61pub use boot::BootSector;
62pub use carve::{carve_mft_entries, CarvedMftEntry, MftCarvingStats};
63pub use compress::decompress;
64pub use data::{read_attribute_value, read_runs};
65pub use error::{NtfsError, Result};
66pub use file_name::{FileName, FileReference};
67pub use fs::NtfsFs;
68pub use index::{parse_entries, parse_index_buffer, IndexEntry, IndexRoot};
69pub use logfile::{detect_journal_clearing, parse_logfile, LogFileSummary, RestartArea};
70pub use mft::{MftData, MftEntry};
71pub use mftmirr::{compare_mft_mirror, MirrorComparison};
72pub use record::{apply_fixup, MftRecordHeader};
73pub use refs::{RefsAnalyzer, RefsFileId, RefsRecord};
74pub use rewind::{EntryInfo, EntryKey, RecordSource, ResolvedRecord, RewindEngine};
75pub use runlist::{decode as decode_runlist, Run};
76pub use source::OffsetReader;
77pub use standard_information::StandardInformation;
78pub use time::Filetime;
79pub use usn::{
80    carve_usn_records, parse_usn_record_v2, CarvedRecord, CarvingStats, FileAttributes,
81    UsnJournalReader, UsnReason, UsnRecord,
82};