ntfs-forensic v0.1.0

First release of ntfs-forensic — a from-scratch, panic-hardened NTFS reader for DFIR.

Highlights

• Volume navigation over any Read + Seek: boot sector, MFT records + update-sequence fixup, resident/non-resident attributes, data runs (sparse + LZNT1), directory indexes ($INDEX_ROOT/INDX), $ATTRIBUTE_LIST, path resolution, file read.
• Forensic Tier-2: $SI-vs-$FN timestomping detection, alternate data stream enumeration, deleted-record carving, MFT record slack, fixup torn-write/tamper detection.
• Partition isolation: OffsetReader makes reading past the volume boundary structurally impossible — compose with mbr-forensic / gpt-forensic.
• Hardened: #![forbid(unsafe_code)], checked arithmetic, bounded allocations, loop caps. Seven cargo-fuzz targets, ~55M executions; the one panic found (an LZNT1 chunk-size overflow) is fixed and pinned as a regression test.
• Validated: 140 tests with 100% line coverage; the boot parser is cross-checked against The Sleuth Kit's fsstat on a real disk image.

[dependencies]
ntfs-forensic = "0.1"

🤖 Generated with Claude Code