ntfs-forensic is designed to parse untrusted NTFS images — including disk
images acquired from compromised or actively hostile systems. Hostile input is
the expected case, not an edge case. Robustness against crafted structures is a
core design goal, and we take reports of crashes, hangs, or memory-safety issues
seriously.
| Version | Supported |
|---|---|
| 0.1.x | ✅ — current release line, receives security fixes |
| < 0.1 | ❌ — pre-release, unsupported |
Security fixes are released against the latest published 0.1.x line.
Do not open a public GitHub issue for a security vulnerability.
Report privately, by either:
- GitHub Security Advisories — open a private advisory on the
ntfs-forensicrepository, or - Email — albert@securityronin.com.
Please include:
- the affected version and target triple,
- a minimal reproducing NTFS image or byte buffer (a fuzz corpus entry is ideal),
- the observed behaviour (panic, hang, excessive allocation, mis-parse) and the expected behaviour.
We aim to acknowledge a report within a few business days and to coordinate disclosure once a fix is available.
ntfs-forensic is hardened against adversarial input by construction:
#![forbid(unsafe_code)]across the whole crate — nounsafe, anywhere.- No panics on malicious input — every length and offset is validated against both the structure's declared size and the actual buffer; arithmetic is checked or saturating.
- Bounded allocations —
try_reserve_exactand explicit ceilings refuse allocation bombs (e.g. a crafted runlist or LZNT1 stream). - Loop caps — attribute chains, runlists, and index entries are bounded against non-terminating walks.
- Fixup verification — torn writes and update-sequence-array tampering
surface as a typed
FixupMismatcherror rather than silently-wrong output. - Partition isolation —
OffsetReadermakes reading past the volume boundary structurally impossible.
Continuous fuzzing with cargo-fuzz
backs the hardening above. Seven targets cover the parsers that consume
attacker-controlled bytes:
| Target | Surface |
|---|---|
boot |
boot sector / BPB |
record |
FILE record header + fixup |
attributes |
attribute chain walking |
attribute_list |
$ATTRIBUTE_LIST extension records |
runlist |
data-run (VCN→LCN) decoding |
compress |
LZNT1 decompression |
index_buffer |
$INDEX_ROOT / INDX directory buffers |
The crates' panics found by fuzzing (e.g. an LZNT1 chunk-size overflow) are fixed and pinned as regression tests.
For how to run the targets yourself, see CONTRIBUTING.md.