Crate ntfs_core 

ntfs-core

A forensic-grade, from-scratch NTFS reader. It parses NTFS structures directly from any Read + Seek source (a raw image, an EWF/VMDK-backed DataSource, or an in-memory buffer) and surfaces the artifacts a forensic examiner needs — including deleted records, slack, and anti-forensic indicators that a “clean” filesystem reader is designed to hide.

This is a clean, spec-first implementation (no third-party NTFS parsing dependency). Its output is cross-validated against The Sleuth Kit and the ntfs / mft crates on real disk images.

Status

Built incrementally under strict TDD. Implemented:

• boot::BootSector — the Volume Boot Record (BPB / extended BPB).
• record::MftRecordHeader + record::apply_fixup — FILE records and the update-sequence-array fixup.
• attribute::parse_attributes — resident and non-resident attributes.
• standard_information / file_name — the two timestamp sets.
• runlist::decode + data::read_attribute_value — data runs.
• index — directory $INDEX_ROOT / INDX buffers.
• attribute_list — fragmented-file extension records.
• [compress::decompress] — LZNT1.
• fs::NtfsFs — path resolution and file read over any Read + Seek.
• source::OffsetReader — open a partition inside a whole-disk image.
• ntfs-forensic (sibling crate) — Tier-2: timestomp, ADS, slack, deleted-record carving.

Hardened against crafted input and exercised by cargo-fuzz (see fuzz/); the boot parser is cross-validated against The Sleuth Kit on a real disk image (see tests/real_image.rs).

Re-exports

pub use attribute::parse_attributes;

pub use attribute::Attribute;

pub use attribute::AttributeBody;

pub use attribute_list::parse as parse_attribute_list;

pub use attribute_list::AttributeListEntry;

pub use boot::BootSector;

pub use carve::carve_mft_entries;

pub use carve::CarvedMftEntry;

pub use carve::MftCarvingStats;

pub use data::read_attribute_value;

pub use data::read_runs;

pub use error::NtfsError;

pub use error::Result;

pub use file_name::FileName;

pub use file_name::FileReference;

pub use fs::NtfsFs;

pub use index::parse_entries;

pub use index::parse_index_buffer;

pub use index::IndexEntry;

pub use index::IndexRoot;

pub use logfile::detect_journal_clearing;

pub use logfile::parse_logfile;

pub use logfile::LogFileSummary;

pub use logfile::RestartArea;

pub use mft::MftData;

pub use mft::MftEntry;

pub use mftmirr::compare_mft_mirror;

pub use mftmirr::MirrorComparison;

pub use record::apply_fixup;

pub use record::MftRecordHeader;

pub use refs::RefsAnalyzer;

pub use refs::RefsFileId;

pub use refs::RefsRecord;

pub use rewind::EntryInfo;

pub use rewind::EntryKey;

pub use rewind::RecordSource;

pub use rewind::ResolvedRecord;

pub use rewind::RewindEngine;

pub use runlist::decode as decode_runlist;

pub use runlist::Run;

pub use source::OffsetReader;

pub use standard_information::StandardInformation;

pub use time::Filetime;

pub use usn::carve_usn_records;

pub use usn::parse_usn_record_v2;

pub use usn::CarvedRecord;

pub use usn::CarvingStats;

pub use usn::FileAttributes;

pub use usn::UsnJournalReader;

pub use usn::UsnReason;

pub use usn::UsnRecord;

Modules

attribute

MFT attribute walking: the common attribute header plus the resident and non-resident bodies.

attribute_list

$ATTRIBUTE_LIST (type 0x20) — present when a file’s attributes don’t fit in one MFT record. Each entry points at the extension record (a file reference) holding one of the file’s attributes, with its type, starting VCN, id, and name. Following these references is how a heavily-fragmented file’s attributes are gathered.

boot

NTFS Volume Boot Record ($Boot / VBR).

carve

MFT entry carving from unallocated space or raw disk data.

data

Reconstructing an attribute’s bytes — resident inline, or non-resident by following its runlist across the volume.

decompress

LZNT1 decompression, re-exported from the lznt1 crate (the codec NTFS uses for compressed $DATA).

error

Crate-wide error type.

file_name

$FILE_NAME (type 0x30) — a name link for a file: its parent directory reference, a second set of MACE timestamps, the file sizes, flags, and the name itself in one of four namespaces.

fs

NtfsFs — the top-level reader that ties every layer together over a Read + Seek volume.

index

Directory index B-tree: $INDEX_ROOT (resident) and the INDX buffers of $INDEX_ALLOCATION (non-resident).

logfile

$LogFile parser for gap detection and LSN correlation.

mft

High-level $MFT aggregator for path resolution and timestomping triage.

mftmirr

$MFTMirr comparison for integrity verification.

record

MFT file-record-segment header parsing and update-sequence-array (fixup).

refs

ReFS (Resilient File System) aware handling of USN V3 records.

rewind

Journal Rewind engine for complete path reconstruction.

runlist

Data-run (runlist) decoding.

source

A bounded sub-reader that re-bases a partition to offset zero.

standard_information

$STANDARD_INFORMATION (type 0x10) — the core file metadata: the four MACE timestamps, DOS attribute flags, and (NTFS 3.0+) the security id and the $UsnJrnl update sequence number.

time

Windows FILETIME — the timestamp format used throughout NTFS.

usn

USN Journal record parsing.

Functions

decompress

LZNT1 decompression, re-exported from the lznt1 crate (the codec NTFS uses for compressed $DATA). Decompresses an entire LZNT1 stream.