Crate ntfs_forensic

Expand description

Forensic Tier-2: the artifacts a “clean” reader hides — timestomping indicators, alternate data streams, MFT-record slack, and deleted records.

These are pure analyses over already-parsed structures, so they are exact and side-effect free.

Modules§

Anomaly: An NTFS forensic anomaly: an observation graded by severity, with a stable code and note derived from its AnomalyKind so they cannot drift.
TimestompIndicators: Indicators that a file’s $STANDARD_INFORMATION timestamps were forged.

AnomalyKind: Classification of an NTFS forensic anomaly. Each variant carries the MFT record it was observed in plus the evidence to reproduce it.
ArtifactAnomaly: A volume-level NTFS metadata-artifact anomaly — scoped to a metadata file rather than a single MFT record.
Severity: The canonical 5-level severity scale, shared across every SecurityRonin analyzer via forensicnomicon::report. Severity of a forensic finding (Info < Low < Medium < High < Critical).

alternate_data_streams: The named $DATA attributes of a file — its alternate data streams.
audit_components: Audit a parsed MFT record’s components for anomalies. The caller supplies the already-parsed pieces, so this is exact and side-effect free; see audit_record for the convenience that parses raw bytes.
audit_logfile: Audit a raw $LogFile for journal-clearing indicators. Malformed input yields no findings.
audit_mft_mirror: Audit the $MFTMirr against the live $MFT, flagging any of the first four system records that differ. Malformed input yields no findings.
audit_record: Audit a single raw MFT record’s bytes: parse the header and attributes, extract $STANDARD_INFORMATION/$FILE_NAME, and delegate to audit_components. A record whose header does not parse yields no anomalies (structural corruption is surfaced by the reader/carver).
carve_file_records: Scan a raw MFT byte region for FILE/BAAD records at record-size boundaries, returning the offset of each.
detect_timestomp: Compare a file’s $STANDARD_INFORMATION against one of its $FILE_NAME attributes for timestomping indicators.
is_deleted: true if the record is not currently allocated (a deleted file).
record_slack: The slack of an MFT record: the bytes from the record’s used size to its end, which may hold residue from a previously-resident attribute.