mbr-forensic v0.1.0
First release of the forensic-grade MBR parser.
Features
- Full MBR sector parsing — boot code (446 bytes), NT disk serial (offset 440), reserved bytes (offset 444–445), four partition entries with CHS decoding
- Boot code fingerprinting — Windows 7+, Vista, GRUB 2, GRUB Legacy, Syslinux, AllZeros (wiped), AllOnes (erased)
- Partition type semantics — 40+ type codes mapped to
PartitionFamily+ human-readable names - EBR chain traversal — cycle detection, depth cap (64), slack byte inspection on EBR entries 2–3
- Gap analysis — pre-partition, inter-partition, and post-partition unpartitioned space
- Filesystem fingerprinting — NTFS, ext2/3/4, FAT, exFAT, LUKS, APFS, XFS, Linux swap, LVM2
- Declared vs detected type mismatch detection
- Shannon entropy on slack regions
- 20 anomaly types with severity levels and byte-precise offsets
Security
- No panics on malicious input — all arithmetic uses
checked/saturatingoperations - EBR cycle and overflow detection
- Fuzz targets for
parse_mbr_sectorandanalyse(via cargo-fuzz)
Testing
104 tests (unit + integration) with 100% line coverage across all modules.