pub struct MftData {
pub entries: Vec<MftEntry>,
pub by_entry: HashMap<u64, usize>,
pub by_key: HashMap<EntryKey, usize>,
}Expand description
Parsed $MFT data for correlation.
Fields§
§entries: Vec<MftEntry>All parsed entries.
by_entry: HashMap<u64, usize>Map: entry_number -> index in entries vec (for current allocation).
by_key: HashMap<EntryKey, usize>Map: (entry, sequence) -> index (sequence-aware lookup).
Implementations§
Source§impl MftData
impl MftData
Sourcepub fn parse(data: &[u8]) -> Result<Self>
pub fn parse(data: &[u8]) -> Result<Self>
Parse raw $MFT data.
§Errors
Currently infallible — malformed records are skipped rather than surfaced as errors — but the signature is fallible to leave room for future fatal conditions.
Sourcepub fn seed_rewind(&self) -> RewindEngine
pub fn seed_rewind(&self) -> RewindEngine
Seed a RewindEngine with the current MFT state.
Sourcepub fn detect_timestomping(&self) -> Vec<&MftEntry>
pub fn detect_timestomping(&self) -> Vec<&MftEntry>
Detect potential timestomping: $SI created before $FN created.
Sourcepub fn get_by_entry(&self, entry_number: u64) -> Option<&MftEntry>
pub fn get_by_entry(&self, entry_number: u64) -> Option<&MftEntry>
Get entry by entry number (current allocation).
Sourcepub fn get_by_key(&self, key: &EntryKey) -> Option<&MftEntry>
pub fn get_by_key(&self, key: &EntryKey) -> Option<&MftEntry>
Get entry by (entry, sequence) pair.
Auto Trait Implementations§
impl Freeze for MftData
impl RefUnwindSafe for MftData
impl Send for MftData
impl Sync for MftData
impl Unpin for MftData
impl UnsafeUnpin for MftData
impl UnwindSafe for MftData
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more