A forensic-grade file recovery engine built in pure Rust.
Raw disk I/O. NTFS MFT resurrection. NVMe telemetry capture. SMART health forecasting.
Three interfaces. Zero cloud dependencies. One weekend.
Every year, 67% of data loss incidents happen to people who have no backup.
Your photos. Your thesis. Your tax documents. Your startup's only copy of the pitch deck. Gone — deleted by accident, wiped by a crash, or lost to a corrupted drive.
The tools that exist to fix this? They fall into two categories:
| Category | Examples | Problem |
|---|---|---|
| Consumer | Recuva, Disk Drill Free | Surface-level scans only. Can't read raw disk. Miss 60%+ of recoverable files. |
| Professional | EnCase ($3,600/yr), FTK ($5,000+), R-Studio ($80-$900) | Built by teams of 10-30 engineers over decades. Priced for forensic labs and corporations. |
There is nothing in between. No open-source tool that speaks directly to your drive's hardware, parses the actual filesystem structures, and performs real forensic-grade recovery.
Until now.
DiskForge talks directly to your drive's silicon. No abstractions. No file-system drivers. No databases. Just raw sector reads through Windows IOCTL calls and hand-written parsers for every byte of filesystem metadata.
+---------------------------------+
| YOUR DELETED FILE |
+----------------+----------------+
|
+----------------v----------------+
| NTFS Master File Table |
| (MFT entry still has metadata) |
+----------------+----------------+
|
+----------+-----------+-----------+----------+
| | | |
+-----v----+ +--v--------+ +------v-----+ +-v----------+
| $FILE_NAME| | $DATA | | $STANDARD | | $Bitmap |
| UTF-16LE | | Run List | | INFO | | Free Map |
| + Parent | | (clusters)| | Timestamps | | (per-bit) |
+----------+ +-----------+ +------------+ +------------+
| | |
v v v
+-----------+ +-------------+ +------------------+
| Recycle | | Reconstruct | | Carve unalloc |
| Bin $I/$R | | from runs | | sectors for |
| correlation| | (assembler) | | orphaned files |
+-----------+ +-------------+ +------------------+
|
+-----v------+
| Integrity |
| Verify |
| (SHA-256 + |
| structural)|
+------------+
| Phase | What Happens | How |
|---|---|---|
| 1. Hardware Interrogation | Query every physical drive. Detect SSD/HDD/NVMe. Read SMART health data. Check for hidden sectors (HPA). | IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_STORAGE_QUERY_PROPERTY, IOCTL_ATA_PASS_THROUGH |
| 2. Partition Discovery | Parse GPT and MBR partition tables directly from raw sectors. | Hand-written GPT/MBR parser — no OS filesystem driver involved |
| 3. Filesystem Deep Scan | Walk the NTFS Master File Table entry by entry. Parse $FILE_NAME, $DATA run lists, $STANDARD_INFORMATION timestamps. Decode FAT cluster chains. | Full MFT parser with fixup validation, delta-encoded run list decoder, UTF-16LE filename extraction |
| 4. Recycle Bin Intelligence | Detect $R/$I file pairs in $Recycle.Bin. Parse $I metadata to recover original file paths and deletion timestamps. |
Parent-chain MFT reference walking + $I binary parser (v1 Vista + v2 Win10) |
| 5. Bitmap-Guided Carving | Read the NTFS $Bitmap to find free clusters within allocated partitions, then carve those specific ranges. |
Bit-level bitmap scanning → sector range conversion → signature matching |
| 6. Raw Sector Carving | Scan unallocated space (gaps between partitions) for file signatures using magic bytes + footer detection + entropy analysis. | 20+ signatures with inner-marker validation to eliminate false positives |
| 7. Fragment Assembly | Reassemble files from non-contiguous data runs. Verify with SHA-256 hashing and file-type-specific structural validation. | JPEG EOI check, PNG IEND chunk, PDF %%EOF, ZIP EOCD record |
| 8. Recovery Forecast | Predict recovery probability using SMART data + drive characteristics before you waste time scanning. | Algorithmic model: TRIM penalty, wear level, power-on hours, NVMe spare capacity, media errors |
graph TB
subgraph "User Interfaces"
CLI["CLI + TUI<br/><i>ratatui + clap</i>"]
GUI["Desktop GUI<br/><i>egui/eframe</i>"]
WEB["Web Dashboard<br/><i>Axum + SPA</i>"]
end
subgraph "DiskForge Core Engine"
ORCH["Orchestrator<br/>scan() / reconstruct()"]
subgraph "The Brain — Filesystem Parsers"
NTFS["NTFS Parser<br/><i>MFT, $Bitmap, Run Lists</i>"]
FAT["FAT12/16/32<br/><i>Cluster chains, dirs</i>"]
EXFAT["exFAT Parser"]
GPT["GPT + MBR<br/><i>Partition tables</i>"]
end
subgraph "The Hands — Scanner & Carver"
CARVER["File Carver<br/><i>Header/footer + entropy</i>"]
SIGDB["Signature DB<br/><i>20+ types, inner markers</i>"]
SCHED["Scan Scheduler<br/><i>Multi-threaded</i>"]
end
subgraph "The Spine — Reconstruction"
ASM["File Assembler<br/><i>Data run → file</i>"]
INTEGRITY["Integrity Checker<br/><i>Structural validation</i>"]
FRAG["Fragment Solver<br/><i>Permutation search</i>"]
DEDUP["Deduplicator"]
end
end
subgraph "Windows Hardware Layer"
DISK["Physical Disk Reader<br/><i>CreateFileW + ReadFile</i>"]
SMART["SMART / Health<br/><i>ATA + NVMe IOCTLs</i>"]
HPA["HPA Detection<br/><i>READ NATIVE MAX ADDR</i>"]
TELEM["NVMe Telemetry<br/><i>L2P Snapshot Capture</i>"]
PRIV["Privilege Check<br/><i>Token elevation</i>"]
end
CLI --> ORCH
GUI --> ORCH
WEB --> ORCH
ORCH --> NTFS & FAT & EXFAT & GPT
ORCH --> CARVER & SCHED
ORCH --> ASM
CARVER --> SIGDB
ASM --> INTEGRITY & FRAG & DEDUP
NTFS & FAT & EXFAT & GPT --> DISK
CARVER --> DISK
ASM --> DISK
DISK --> SMART & HPA & TELEM & PRIV
style CLI fill:#1a1a3e,stroke:#00d4ff,color:#e0e0ff
style GUI fill:#1a1a3e,stroke:#00d4ff,color:#e0e0ff
style WEB fill:#1a1a3e,stroke:#00d4ff,color:#e0e0ff
style ORCH fill:#0a0a2e,stroke:#00ff88,color:#00ff88
style DISK fill:#2a0a0a,stroke:#ff3355,color:#ff3355
style SMART fill:#2a0a0a,stroke:#ff3355,color:#ff3355
style TELEM fill:#2a0a0a,stroke:#ff8800,color:#ff8800
DiskForge ships with a cyberpunk-themed web dashboard — a full single-page application baked directly into the binary using rust-embed. No Node.js. No npm. No external files. Just run diskforge-web.exe and open your browser.
The dashboard guides you through a 5-step recovery wizard:
| Step | What You Do |
|---|---|
| 1. Select Drive | Detects all physical drives via Windows IOCTL. Shows model, serial, capacity, type (HDD/SSD/NVMe), and TRIM status. SSD drives get a real-time TRIM warning. |
| 2. Configure | Filter by file type (Images, Documents, Archives, Media, Databases, Executables, Email). Toggle raw sector carving and experimental fragment reordering. Configure memory limits and thread count. |
| 3. Scanning | Real-time progress with phase indicators, sector progress bar, and live file-found counter. Cancel anytime — fully interruptible via atomic flag. |
| 4. Results | Paginated results table with filtering by status (Intact / Fragmented / Carved / Partial / Failed), category, and confidence score. One-click Recycle Bin filter, intact-only, or >70% confidence. Export to CSV. |
| 5. Recover | Selected files are reassembled from raw data runs, verified with SHA-256 + structural integrity checks, and written to your output directory. |
This is the kind of software that does not get built at hackathons. Here's why:
To build DiskForge, you need simultaneous expertise in five domains that rarely overlap:
┌──────────────────────────────────────────────────────────┐
│ DOMAIN EXPERTISE MAP │
├──────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ │
│ │ STORAGE │ │ FILESYSTEM │ │ DIGITAL │ │
│ │ HARDWARE │ │ INTERNALS │ │ FORENSICS │ │
│ │ │ │ │ │ │ │
│ │ ATA commands │ │ NTFS MFT │ │ File carving │ │
│ │ NVMe protocol│ │ FAT chains │ │ Fragment solver │ │
│ │ SMART data │ │ GPT/MBR │ │ Entropy analysis│ │
│ │ IOCTL calls │ │ $Bitmap │ │ Integrity verify│ │
│ │ HPA/DCO │ │ Run lists │ │ Recycle Bin │ │
│ └─────────────┘ └─────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────┐ ┌──────────────────────────────────┐ │
│ │ SYSTEMS │ │ FULL-STACK WEB + NATIVE UI │ │
│ │ PROGRAMMING │ │ │ │
│ │ │ │ Axum REST API + SSE streaming │ │
│ │ unsafe Rust │ │ Embedded SPA (rust-embed) │ │
│ │ Win32 API │ │ egui desktop GUI │ │
│ │ Raw pointers │ │ ratatui terminal UI │ │
│ │ FFI structs │ │ Real-time progress callbacks │ │
│ └─────────────┘ └──────────────────────────────────┘ │
└──────────────────────────────────────────────────────────┘
| Tool | Company | Team Size | Dev Time | Price |
|---|---|---|---|---|
| EnCase | OpenText | 30+ engineers | 20+ years | $3,594/year |
| FTK | Exterro | 20+ engineers | 15+ years | $5,000+ |
| R-Studio | R-Tools | 10+ engineers | 15+ years | $80-$900 |
| Autopsy | Basis Tech | Community + core team | 10+ years | Free (limited) |
| DiskForge | One developer + Claude | Two | Built with AI | Free & Open Source |
DiskForge makes nine distinct IOCTL calls to Windows — each one requiring deep knowledge of undocumented or sparsely-documented hardware interfaces:
| # | IOCTL | Purpose |
|---|---|---|
| 1 | IOCTL_DISK_GET_DRIVE_GEOMETRY_EX |
Query sector size + total capacity |
| 2 | IOCTL_STORAGE_QUERY_PROPERTY (DeviceProperty) |
Get drive model, serial, bus type |
| 3 | IOCTL_STORAGE_QUERY_PROPERTY (TrimProperty) |
Detect actual TRIM/UNMAP support |
| 4 | IOCTL_STORAGE_QUERY_PROPERTY (SeekPenalty) |
Distinguish SSD from HDD |
| 5 | IOCTL_ATA_PASS_THROUGH (SMART READ) |
Read ATA SMART attribute table |
| 6 | IOCTL_ATA_PASS_THROUGH (NATIVE MAX) |
Detect Host Protected Areas |
| 7 | IOCTL_STORAGE_QUERY_PROPERTY (NVMe Health) |
NVMe SMART Log Page 02h |
| 8 | IOCTL_STORAGE_QUERY_PROPERTY (NVMe Error) |
NVMe Error Log Page 01h |
| 9 | IOCTL_STORAGE_QUERY_PROPERTY (NVMe Telemetry) |
Capture FTL/L2P mapping snapshots |
IOCTL #9 is particularly noteworthy: it triggers a fresh NVMe controller state snapshot that captures the Flash Translation Layer's logical-to-physical address mappings. This is a post-TRIM recovery technique — if called before garbage collection completes, it can reveal where "deleted" data still physically resides on NAND flash. This capability exists in almost no open-source tooling.
DiskForge was built through human-AI pair programming — a single developer working with Claude as a collaborative engineering partner. Not "AI-generated code" — AI-augmented engineering where human domain knowledge and architectural vision directed every decision, while Claude provided the implementation velocity of an entire team.
PHASE 1: Foundation PHASE 2: Intelligence
━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━━━━━━━━
▸ Win32 disk I/O layer ▸ SMART health monitoring
▸ GPT/MBR partition parser ▸ Recovery probability forecast
▸ NTFS MFT scanner ▸ HPA hidden sector detection
▸ FAT cluster chain walker ▸ NVMe telemetry capture
▸ Signature carving engine ▸ $Bitmap cluster mapping
▸ File assembler + integrity ▸ TRIM detection (real IOCTL)
PHASE 3: Interfaces PHASE 4: Polish
━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━━━━━━━━
▸ CLI with clap argument parsing ▸ Recycle Bin $I/$R correlation
▸ TUI dashboard (ratatui) ▸ Entropy-based file boundaries
▸ egui desktop GUI ▸ Fragment reordering (Heap's)
▸ Axum web server + REST API ▸ Inner-marker false positive
▸ Embedded SPA (cyberpunk theme) elimination
▸ SSE real-time progress ▸ Memory caps + safety limits
This project demonstrates that the barrier to building professional-grade systems software has fundamentally changed. DiskForge required:
- 912 lines of NTFS MFT parsing with fixup validation and delta-encoded run list decoding
- 1,039 lines of SMART/NVMe hardware telemetry via raw ATA command descriptor blocks
- 367 lines of dual-strategy file carving with Shannon entropy analysis
- 338 lines of compile-time signature database with inner-marker validation
- 151 lines of file-type-specific structural integrity verification
- 118 lines of experimental fragment reordering using Heap's permutation algorithm
- A complete web application with a 5-step wizard, real-time progress streaming, and a cyberpunk dark theme
None of these are "boilerplate." Every module requires deep domain knowledge. The kind of knowledge that used to require hiring five different specialists. AI didn't replace the expertise — it made it accessible to a single developer with the right vision.
| Layer | Technology | Why |
|---|---|---|
| Language | Rust 2021 | Memory safety without GC. unsafe where needed for Win32 FFI. Zero-cost abstractions for byte parsing. |
| Workspace | 4 crates (core, cli, gui, web) |
Clean separation. Ship any combination of interfaces. |
| Win32 API | windows crate 0.58 |
Pure Rust bindings — no C++ FFI layer needed. |
| Web Server | Axum 0.8 + Tokio | Async REST API with spawn_blocking for CPU-bound disk ops. |
| Static Assets | rust-embed 8 |
HTML/CSS/JS baked into the binary. Zero external files. |
| Desktop GUI | egui 0.29 / eframe | Immediate-mode GUI. Cross-compile ready. |
| Terminal UI | ratatui 0.29 + crossterm | Full TUI dashboard with progress bars. |
| Hashing | SHA-256 + CRC32 | Post-reconstruction integrity verification. |
| Concurrency | rayon + crossbeam | Data-parallel scanning with work-stealing. |
diskforge/
├── Cargo.toml # Workspace root (4 member crates)
├── Cargo.lock # Reproducible builds
│
├── core/ # THE ENGINE (heart of the project)
│ └── src/
│ ├── lib.rs # Orchestrator: scan() + reconstruct()
│ ├── types.rs # 390 lines of domain types
│ ├── errors.rs # Rich error types with context
│ ├── fs_parse/ # Filesystem parsers
│ │ ├── ntfs.rs # 913 lines — MFT, $Bitmap, run lists
│ │ ├── fat.rs # FAT12/16/32 cluster chains
│ │ ├── exfat.rs # exFAT support
│ │ └── gpt_mbr.rs # Partition table parser
│ ├── scanner/ # File discovery
│ │ ├── carver.rs # Header/footer + entropy carving
│ │ ├── signature_db.rs # 20+ file signatures
│ │ ├── raw_reader.rs # Sector-aligned I/O
│ │ └── scheduler.rs # Multi-threaded scan scheduling
│ ├── reconstruct/ # File reassembly
│ │ ├── assembler.rs # Data run → file + SHA-256
│ │ ├── integrity.rs # Structural validation
│ │ ├── fragment_solver.rs # Experimental reordering
│ │ └── dedup.rs # Result deduplication
│ └── win_io/ # Windows hardware layer
│ ├── physical_disk.rs # CreateFileW raw disk reader
│ ├── drive_detect.rs # Drive enumeration + properties
│ ├── smart.rs # 1,039 lines — SMART + NVMe telemetry
│ └── privilege.rs # Admin elevation check
│
├── cli/ # Command-line + TUI interface
├── gui/ # egui desktop application
├── web/ # Axum web server + embedded SPA
│ ├── src/ # REST API + SSE handlers
│ └── static/ # Cyberpunk web dashboard
│ ├── index.html # 5-step recovery wizard
│ ├── css/style.css # Dark neon theme (862 lines)
│ └── js/ # SPA application logic
│
└── tests/ # Test suite
- Windows 10/11
- Rust toolchain (stable)
- Administrator privileges (required for raw disk access)
# Clone
git clone https://github.com/salvation06/diskforge.git
cd diskforge
# Build all crates (release mode for real scanning performance)
cargo build --release
# Option 1: Web Dashboard (recommended)
# Run as Administrator, then open http://localhost:3000
.\target\release\diskforge-web.exe
# Option 2: CLI
.\target\release\diskforge-cli.exe scan --drive \\.\PhysicalDrive1 --output C:\Recovery
# Option 3: Drive Health Report
.\target\release\diskforge-cli.exe health --drive \\.\PhysicalDrive0- NEVER write recovered files to the same drive you're scanning
- DiskForge performs read-only operations on the source drive
- Always run as Administrator — raw
\\.\PhysicalDriveaccess requires elevation - SSD drives with TRIM enabled will have reduced recovery rates (DiskForge warns you)
| Metric | Value |
|---|---|
| Total source lines | ~7,900 |
| Rust crates | 4 (core, cli, gui, web) |
| File signatures | 20+ with inner-marker validation |
| Windows IOCTL calls | 9 distinct |
| Filesystem parsers | 5 (NTFS, FAT12/16/32, exFAT, GPT, MBR) |
| Recovery strategies | 6 (DirectCopy, MFT Resurrect, SmartCarve, PartialSalvage, RecycleBin, ExperimentalReorder) |
| User interfaces | 3 (CLI/TUI, Desktop GUI, Web) |
| External runtime deps | 0 (everything compiles to static binaries) |
| Cloud services required | 0 |
| Database required | 0 |
-
It's real. This isn't a prototype or a mock-up. DiskForge compiles, opens physical drives, reads raw sectors, parses NTFS metadata, carves files, and reconstructs them — on real hardware.
-
It's impossible. The combination of ATA command construction, NTFS delta-encoded run list parsing, NVMe telemetry capture, and three full user interfaces has never been built at a hackathon before. The commercial equivalents took teams of 10-30 engineers over a decade.
-
It's the future. A single developer with AI built what used to require an entire engineering organization. DiskForge is proof that the barrier to building professional-grade systems software has been permanently lowered.
-
It solves a real problem. Data loss affects millions of people. Professional recovery tools cost thousands. DiskForge is free, open-source, and runs locally with zero cloud dependency.
-
It goes deeper than anyone expects. NVMe telemetry L2P snapshot capture. NTFS $Bitmap-guided carving. Recycle Bin $I/$R file correlation with original path recovery. Experimental fragment reordering using Heap's algorithm. Shannon entropy boundary detection. This isn't surface-level work — it's research-grade digital forensics.
Built with human vision and AI velocity.
DiskForge — because your data deserves a second chance.
