pub struct RefsAnalyzer { /* private fields */ }Expand description
Analyzer for ReFS USN journal data.
Provides grouping by full 128-bit file ID, ReFS vs NTFS volume detection, and journal-rewind-only path reconstruction (since ReFS has no traditional MFT).
Implementations§
Source§impl RefsAnalyzer
impl RefsAnalyzer
Sourcepub fn new(records: Vec<RefsRecord>) -> Self
pub fn new(records: Vec<RefsRecord>) -> Self
Create a new analyzer from a set of RefsRecords.
Sourcepub fn is_likely_refs(&self) -> bool
pub fn is_likely_refs(&self) -> bool
Detect whether the records likely originate from a ReFS volume.
Heuristic: if all records have major_version == 3 and any record has
a file_id whose upper 64 bits are non-zero, it is likely ReFS.
Pure NTFS V3 records would have upper bits all zero.
Sourcepub fn group_by_file_id(&self) -> HashMap<RefsFileId, Vec<&RefsRecord>>
pub fn group_by_file_id(&self) -> HashMap<RefsFileId, Vec<&RefsRecord>>
Group records by their full 128-bit file ID.
Returns a map from RefsFileId to all records referencing that file.
Sourcepub fn reconstruct_paths(&self) -> HashMap<RefsFileId, String>
pub fn reconstruct_paths(&self) -> HashMap<RefsFileId, String>
Reconstruct file paths using journal rewind only (no MFT seeding).
ReFS has no traditional $MFT, so path reconstruction must rely entirely on walking the USN journal backwards to build the directory tree from rename and create events.
Returns a map from RefsFileId to reconstructed path (if resolvable).