From 45a1142937ea082658d2b1184f74ac88c7e9ef9e Mon Sep 17 00:00:00 2001
From: Colin <140967500+co1inn@users.noreply.github.com>
Date: Fri, 23 Jan 2026 12:10:51 -0500
Subject: [PATCH 1/8] Add FileTime struct and parse_filetime function

---
 scripts/inspectors/filetime.hexpat | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 scripts/inspectors/filetime.hexpat

diff --git a/scripts/inspectors/filetime.hexpat b/scripts/inspectors/filetime.hexpat
new file mode 100644
index 0000000..578370d
--- /dev/null
+++ b/scripts/inspectors/filetime.hexpat
@@ -0,0 +1,21 @@
+import std.time;
+import type.time;
+
+struct FileTime {
+    u64 value;
+} [[format_read("parse_filetime")]];
+
+fn parse_filetime(FileTime raw_ft) {
+    // Convert raw FILETIME to Unix time
+    u64 unix_time = type::impl::format_filetime_as_unix(raw_ft.value);
+
+    // Convert Unix time to structured UTC time
+    std::time::Time ts = std::time::to_utc(unix_time);
+
+    // Format as string
+    str formatted = std::time::format(ts, "%Y-%m-%d %H:%M:%S");
+
+    return formatted;
+};
+
+FileTime ftime @ $ [[name("File Time")]];

From 560e59d3a48bd62e51df9a09c4da4014c3300c0e Mon Sep 17 00:00:00 2001
From: RedHare-Exe <redgrappler18@gmail.com>
Date: Fri, 23 Jan 2026 12:46:28 -0500
Subject: [PATCH 2/8] added credit to F01TECH

---
 scripts/inspectors/filetime.hexpat | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/inspectors/filetime.hexpat b/scripts/inspectors/filetime.hexpat
index 578370d..093dfcd 100644
--- a/scripts/inspectors/filetime.hexpat
+++ b/scripts/inspectors/filetime.hexpat
@@ -1,3 +1,9 @@
+// Much of this is based on https://github.com/F01TECH/ImHex-DFIR-Patterns,
+// specifically 
+// https://github.com/F01TECH/ImHex-DFIR-Patterns/blob/main/DFIR/NTFS.hexpat.
+// Credit to F01TECH for the original code: it was just turned into a data 
+// inspector.
+
 import std.time;
 import type.time;
 

From 4ba6567939b11443b3b1514645a176f01e4fe8fb Mon Sep 17 00:00:00 2001
From: RedHare-Exe <redgrappler18@gmail.com>
Date: Fri, 23 Jan 2026 16:36:10 -0500
Subject: [PATCH 3/8] add $I file parser

---
 patterns/ifile.hexpat | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 patterns/ifile.hexpat

diff --git a/patterns/ifile.hexpat b/patterns/ifile.hexpat
new file mode 100644
index 0000000..6790a5e
--- /dev/null
+++ b/patterns/ifile.hexpat
@@ -0,0 +1,32 @@
+#pragma author RedHare-Exe
+#pragma description Windows Recycling Bin $I file
+#pragma magic [ 02 00 00 00 00 00 00 00 ] @ 0x00
+
+import std.time;
+import type.time;
+import std.string;
+
+using NullString16 = std::string::NullString16;
+
+struct DelTime {
+    u64 raw;
+} [[format_read("parse_filetime")]];
+
+fn parse_filetime(DelTime raw_ft) {
+    // Convert raw FILETIME to Unix time
+    u64 unix_time = type::impl::format_filetime_as_unix(raw_ft.raw);
+
+    // Convert Unix time to structured UTC time
+    std::time::Time ts = std::time::to_utc(unix_time);
+
+    // Format as string
+    str formatted = std::time::format(ts, "%Y-%m-%d %H:%M:%S");
+
+    return formatted;
+};
+
+u64 Version @ 0x00;
+u64 Size @ 0x08;
+DelTime DelTime @ 0x10 [[name("Deleted Time")]];
+u32 NameSize @ 0x18 [[name("Size of Path in Characters")]];
+NullString16 Path @ 0x1C;
\ No newline at end of file

From 90dd016be362648252066e353f2f0fa2fc7f3187 Mon Sep 17 00:00:00 2001
From: RedHare-Exe <redgrappler18@gmail.com>
Date: Fri, 23 Jan 2026 16:45:33 -0500
Subject: [PATCH 4/8] updated to look more like a normal pattern file

---
 patterns/ifile.hexpat | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/patterns/ifile.hexpat b/patterns/ifile.hexpat
index 6790a5e..36da3c4 100644
--- a/patterns/ifile.hexpat
+++ b/patterns/ifile.hexpat
@@ -25,8 +25,12 @@ fn parse_filetime(DelTime raw_ft) {
     return formatted;
 };
 
-u64 Version @ 0x00;
-u64 Size @ 0x08;
-DelTime DelTime @ 0x10 [[name("Deleted Time")]];
-u32 NameSize @ 0x18 [[name("Size of Path in Characters")]];
-NullString16 Path @ 0x1C;
\ No newline at end of file
+struct IFile {
+    u64 Version;
+    u64 Size;
+    DelTime DelTime [[name("Deleted Time")]];
+    u32 NameSize [[name("Size of Path in Characters")]];
+    NullString16 Path;
+};
+
+IFile IFile @ 0x00;
\ No newline at end of file

From 1fd7c1a221532bafc0ac669b9dd7281c9050e2b4 Mon Sep 17 00:00:00 2001
From: Colin <140967500+co1inn@users.noreply.github.com>
Date: Sat, 24 Jan 2026 02:25:27 -0500
Subject: [PATCH 5/8] Add MBR Pattern

---
 patterns/mbr.hexpat | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 patterns/mbr.hexpat

diff --git a/patterns/mbr.hexpat b/patterns/mbr.hexpat
new file mode 100644
index 0000000..f3000fb
--- /dev/null
+++ b/patterns/mbr.hexpat
@@ -0,0 +1,33 @@
+#pragma author co1inn
+#pragma description MBR Partitioning Scheme
+
+fn chs_calculator(u24 addr) {
+    u8 byte_0 = (addr >> 16) & 0xFF;
+    u8 byte_1 = (addr >> 8) & 0xFF;
+    u16 byte_2 = addr & 0xFF;
+    
+    u8 bits = (byte_1 & 0b11000000) >> 6;
+    byte_1 = byte_1 & 0b00111111;
+    byte_2 = (bits << 8) | byte_2;
+    
+    return (byte_0 << 16) | (byte_1 << 10) | byte_2;
+};
+
+struct partition_table {
+    u8 boot_flag [[name("Boot Flag")]];
+    u24 start_chs [[name("Starting CHS Address")]];
+    u8 partition_type [[name("Partition Type")]];
+    u24 end_chs [[name("Ending CHS Address"), format("chs_calculator")]];
+    u32 start_lb [[name("Starting LBA")]];
+    u32 size_sectors [[name("Size in Sectors")]];
+};
+
+struct MBR {
+   u8 bootloader[0x1BE] [[name("Boot Loader")]];
+   partition_table part_1 [[name("First Partition")]];
+   partition_table part_2 [[name("Second Partition")]];
+   partition_table part_3 [[name("Third Partition")]];
+   partition_table part_4 [[name("Fourth Partition")]];
+};
+
+MBR MBR @ 0x00;

From bd456319641da06861ff82ac92e81738c1124d06 Mon Sep 17 00:00:00 2001
From: Colin <140967500+co1inn@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:45:49 -0500
Subject: [PATCH 6/8] Fixed Endian Issue

---
 patterns/mbr.hexpat | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/patterns/mbr.hexpat b/patterns/mbr.hexpat
index f3000fb..d0a9646 100644
--- a/patterns/mbr.hexpat
+++ b/patterns/mbr.hexpat
@@ -1,18 +1,39 @@
 #pragma author co1inn
 #pragma description MBR Partitioning Scheme
 
+#pragma author co1inn
+#pragma description MBR Partitioning Scheme
+
 fn chs_calculator(u24 addr) {
-    u8 byte_0 = (addr >> 16) & 0xFF;
+    u8 byte_0 = addr & 0xFF;
     u8 byte_1 = (addr >> 8) & 0xFF;
-    u16 byte_2 = addr & 0xFF;
+    u16 byte_2 = (addr >> 16) & 0xFF;
     
-    u8 bits = (byte_1 & 0b11000000) >> 6;
+    byte_2 = ((byte_1 & 0b11000000) << 2) | byte_2;
     byte_1 = byte_1 & 0b00111111;
-    byte_2 = (bits << 8) | byte_2;
     
-    return (byte_0 << 16) | (byte_1 << 10) | byte_2;
+    return byte_0 | (byte_1 << 8) | (byte_2 << 16);
+};
+
+struct partition_table {
+    u8 boot_flag [[name("Boot Flag")]];
+    u24 start_chs [[name("Starting CHS Address"), format("chs_calculator")]];
+    u8 partition_type [[name("Partition Type")]];
+    u24 end_chs [[name("Ending CHS Address"), format("chs_calculator")]];
+    u32 start_lb [[name("Starting LBA")]];
+    u32 size_sectors [[name("Size in Sectors")]];
 };
 
+struct MBR {
+   u8 bootloader[0x1BE] [[name("Boot Loader")]];
+   partition_table part_1 [[name("First Partition")]];
+   partition_table part_2 [[name("Second Partition")]];
+   partition_table part_3 [[name("Third Partition")]];
+   partition_table part_4 [[name("Fourth Partition")]];
+};
+
+MBR MBR @ 0x00;
+
 struct partition_table {
     u8 boot_flag [[name("Boot Flag")]];
     u24 start_chs [[name("Starting CHS Address")]];

From d2d2dda5a876bd4b4cc6608cd0408c7269e2361e Mon Sep 17 00:00:00 2001
From: Colin <140967500+co1inn@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:46:41 -0500
Subject: [PATCH 7/8] Remove duplicate pragmas from mbr.hexpat

Removed duplicate author and description pragmas.
---
 patterns/mbr.hexpat | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/patterns/mbr.hexpat b/patterns/mbr.hexpat
index d0a9646..da00851 100644
--- a/patterns/mbr.hexpat
+++ b/patterns/mbr.hexpat
@@ -1,9 +1,6 @@
 #pragma author co1inn
 #pragma description MBR Partitioning Scheme
 
-#pragma author co1inn
-#pragma description MBR Partitioning Scheme
-
 fn chs_calculator(u24 addr) {
     u8 byte_0 = addr & 0xFF;
     u8 byte_1 = (addr >> 8) & 0xFF;

From ba03a911a4c3eebe8fe0cb1b123ad2c85cea62e1 Mon Sep 17 00:00:00 2001
From: Colin <140967500+co1inn@users.noreply.github.com>
Date: Sun, 25 Jan 2026 15:27:16 -0500
Subject: [PATCH 8/8] Removed duplicate structs

Probably not best to copy and paste changes straight into Github from the pattern editor
---
 patterns/mbr.hexpat | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/patterns/mbr.hexpat b/patterns/mbr.hexpat
index da00851..61ae999 100644
--- a/patterns/mbr.hexpat
+++ b/patterns/mbr.hexpat
@@ -30,22 +30,3 @@ struct MBR {
 };
 
 MBR MBR @ 0x00;
-
-struct partition_table {
-    u8 boot_flag [[name("Boot Flag")]];
-    u24 start_chs [[name("Starting CHS Address")]];
-    u8 partition_type [[name("Partition Type")]];
-    u24 end_chs [[name("Ending CHS Address"), format("chs_calculator")]];
-    u32 start_lb [[name("Starting LBA")]];
-    u32 size_sectors [[name("Size in Sectors")]];
-};
-
-struct MBR {
-   u8 bootloader[0x1BE] [[name("Boot Loader")]];
-   partition_table part_1 [[name("First Partition")]];
-   partition_table part_2 [[name("Second Partition")]];
-   partition_table part_3 [[name("Third Partition")]];
-   partition_table part_4 [[name("Fourth Partition")]];
-};
-
-MBR MBR @ 0x00;