Exhume NTFS as a library
This document provides guidance on how to use the exhume_ntfs crate as a library in your Rust projects. You will learn how to integrate the library, its basic usage, and a sample minimalist main code example. Exhume NTFS is also part of Exhume FileSystem.
Install
Create a project:
cargo new ntfs_test
cd ntfs_test/src
📦 Adding Exhume NTFS as a Dependency
To use the exhume_ntfs library in your Rust project, you need to add it as a dependency in your Cargo.toml file. Below is the sections you need to include:
[dependencies]
exhume_body = "=0.2.0"
exhume_ntfs= "=0.1.1"
# Required crates to log events
log = "0.4.25"
env_logger = "0.11.6"
🛠️ Basic Usage
Below is a sample code illustrating how to use exhume_ntfs as a library in a Rust project. This example demonstrates initializing the library, accessing file identifier number 5 metadata and print the associated metadata.
use exhume_body::{Body, BodySlice};
use exhume_ntfs::NTFS;
fn main() {
// Connect our log env
env_logger::Builder::new()
.filter_level(log::LevelFilter::Info)
.init();
// We create an exhume body object to fetch our image.
let body = Body::new(
"/samples/logical_acquired/4orensics.001".to_string(),
"auto",
);
// This is a logically acquired image of the NTFS partition. It starts at offset 0 and have the size of the file.
let offset = 0x0;
let partition_size = 0x629FFFE00 * body.get_sector_size() as u64;
let mut slice = match BodySlice::new(&body, offset, partition_size) {
Ok(sl) => sl,
Err(e) => {
println!("Could not create BodySlice: {}", e);
return;
}
};
let mut filesystem = match NTFS::new(&mut slice) {
Ok(fs) => fs,
Err(e) => {
println!("Couldn't open NTFS: {}", e);
return;
}
};
let file_id = match filesystem.get_file_id(5) {
Ok(file_val) => file_val,
Err(e) => {
println!("Cannot read inode 5: {}", e);
return;
}
};
println!("{}", file_id.to_string());
}