RedHare-Exe · co1inn · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/patterns/ifile.hexpat b/patterns/ifile.hexpat
@@ -0,0 +1,36 @@
+#pragma author RedHare-Exe
+#pragma description Windows Recycling Bin $I file
+#pragma magic [ 02 00 00 00 00 00 00 00 ] @ 0x00
+
+import std.time;
+import type.time;
+import std.string;
+
+using NullString16 = std::string::NullString16;
+
+struct DelTime {
+    u64 raw;
+} [[format_read("parse_filetime")]];
+
+fn parse_filetime(DelTime raw_ft) {
+    // Convert raw FILETIME to Unix time
+    u64 unix_time = type::impl::format_filetime_as_unix(raw_ft.raw);
+
+    // Convert Unix time to structured UTC time
+    std::time::Time ts = std::time::to_utc(unix_time);
+
+    // Format as string
+    str formatted = std::time::format(ts, "%Y-%m-%d %H:%M:%S");
+
+    return formatted;
+};
+
+struct IFile {
+    u64 Version;
+    u64 Size;
+    DelTime DelTime [[name("Deleted Time")]];
+    u32 NameSize [[name("Size of Path in Characters")]];
+    NullString16 Path;
+};
+
+IFile IFile @ 0x00;
diff --git a/patterns/mbr.hexpat b/patterns/mbr.hexpat
@@ -0,0 +1,32 @@
+#pragma author co1inn
+#pragma description MBR Partitioning Scheme
+
+fn chs_calculator(u24 addr) {
+    u8 byte_0 = addr & 0xFF;
+    u8 byte_1 = (addr >> 8) & 0xFF;
+    u16 byte_2 = (addr >> 16) & 0xFF;
+
+    byte_2 = ((byte_1 & 0b11000000) << 2) | byte_2;
+    byte_1 = byte_1 & 0b00111111;
+
+    return byte_0 | (byte_1 << 8) | (byte_2 << 16);
+};
+
+struct partition_table {
+    u8 boot_flag [[name("Boot Flag")]];
+    u24 start_chs [[name("Starting CHS Address"), format("chs_calculator")]];
+    u8 partition_type [[name("Partition Type")]];
+    u24 end_chs [[name("Ending CHS Address"), format("chs_calculator")]];
+    u32 start_lb [[name("Starting LBA")]];
+    u32 size_sectors [[name("Size in Sectors")]];
+};
+
+struct MBR {
+   u8 bootloader[0x1BE] [[name("Boot Loader")]];
+   partition_table part_1 [[name("First Partition")]];
+   partition_table part_2 [[name("Second Partition")]];
+   partition_table part_3 [[name("Third Partition")]];
+   partition_table part_4 [[name("Fourth Partition")]];
+};
+
+MBR MBR @ 0x00;
diff --git a/scripts/inspectors/filetime.hexpat b/scripts/inspectors/filetime.hexpat
@@ -0,0 +1,27 @@
+// Much of this is based on https://github.com/F01TECH/ImHex-DFIR-Patterns,
+// specifically 
+// https://github.com/F01TECH/ImHex-DFIR-Patterns/blob/main/DFIR/NTFS.hexpat.
+// Credit to F01TECH for the original code: it was just turned into a data 
+// inspector.
+
+import std.time;
+import type.time;
+
+struct FileTime {
+    u64 value;
+} [[format_read("parse_filetime")]];
+
+fn parse_filetime(FileTime raw_ft) {
+    // Convert raw FILETIME to Unix time
+    u64 unix_time = type::impl::format_filetime_as_unix(raw_ft.value);
+
+    // Convert Unix time to structured UTC time
+    std::time::Time ts = std::time::to_utc(unix_time);
+
+    // Format as string
+    str formatted = std::time::format(ts, "%Y-%m-%d %H:%M:%S");
+
+    return formatted;
+};
+
+FileTime ftime @ $ [[name("File Time")]];