Skip to content

apm-partition-forensic

Read an Apple Partition Map — then grade its structural anomalies into severity-ranked forensic findings.

A read-only APM reader (Driver Descriptor Map + partition entries: name, type, bounds) paired with an anomaly auditor that flags exactly what a forensic examiner looks for: map-count disagreement, overlapping or out-of-bounds partitions, residual (hidden) entries, and unmapped interior regions that could conceal data. Pure Rust, no unsafe.

use apm_forensic::analyse;

let report = analyse(&std::fs::read("disk.img")?)?;
for a in &report.anomalies {
    println!("[{}] {}: {}", a.severity, a.code, a.note);
}
# Ok::<(), apm_forensic::Error>(())

Two crates

Crate Import as Role
apm-partition-core apm Read-only reader: Driver Descriptor Map + partition entries (parse, ApplePartitionMap, ApmPartition)
apm-partition-forensic apm_forensic Anomaly auditor: analyse / analyse_reader → graded Anomaly findings, built on the reader

The forensic crate re-exports the reader's parse, ApplePartitionMap, ApmPartition, and Error, so depending on it alone gives you both layers.

Install

[dependencies]
apm-partition-forensic = "0.4"   # analyzer + re-exported reader
# or, reader only:
apm-partition-core = "0.4"

Forensic anomaly detection

Anomaly Code Severity
Overlapping partitions APM-PART-OVERLAP Critical
Partition out of bounds APM-PART-OOB High
Residual (deleted) entry APM-PART-RESIDUAL High
Missing Apple_partition_map self-entry APM-NO-MAP-ENTRY High
pmMapBlkCnt disagreement APM-MAP-COUNT Medium
Unmapped region (possible hidden data) APM-UNMAPPED Medium
Zero-length partition APM-PART-ZEROLEN Low
Unknown partition type APM-PART-UNKNOWN Info

Each anomaly is an observation ("consistent with …"), never a verdict — the examiner draws the conclusion.

Trust, but verify

These crates parse untrusted, attacker-controllable disk images, so the bar is never panic, never read out of bounds, never trust a length field: panic-free production code (hard deny workspace lints, bounds-checked integer reads, capped entry counts), cargo fuzz targets over both the parse reader and the full analyse pipeline, validation against a real hdiutil-created APM, and unsafe_code = "forbid" across the workspace.

See the project README for the full quick start and capability tables.


Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd