Module record 

MFT file-record-segment header parsing and update-sequence-array (fixup).

Every $MFT entry is a fixed-size file record segment (typically 1024 bytes) beginning with a FILE signature. To protect against torn writes, NTFS replaces the last two bytes of every sector with an incrementing Update Sequence Number (USN); the displaced originals are stored in the Update Sequence Array (USA). Reading a record means verifying each sector still carries the expected USN (a mismatch is a torn write or tampering) and restoring the originals before the bytes are interpreted.

Layout facts (signatures, field offsets, flags) come from forensicnomicon::ntfs.

Structs

MftRecordHeader

Parsed MFT file-record-segment header.

Functions

apply_fixup

Apply the NTFS update-sequence-array fixup to a raw record buffer in place.