Expand description
Apple Partition Map (APM) detection.
Apple hybrid optical discs carry an Apple Partition Map so a Mac sees the
disc’s partitions (typically an Apple_HFS slice alongside the ISO 9660
filesystem). The layout (Inside Macintosh: Devices) is big-endian, in
fixed-size device blocks: block 0 is the Driver Descriptor Map (signature
ER, carrying the block size), and blocks 1.. are partition entries
(signature PM), the first of which reports how many entries the map holds.
This module reads the map for detection and partition geometry (name,
type, start block, block count). Validated against a real hdiutil APM.
For forensic anomaly detection (overlaps, out-of-bounds, map-count
inconsistency, residual/hidden entries) see analyse and the
findings module.
Re-exports§
pub use findings::Anomaly;pub use findings::AnomalyKind;pub use findings::ApmAnalysis;
Modules§
- findings
- Forensic finding types for Apple Partition Map analysis.
Structs§
- ApmPartition
- One Apple Partition Map entry.
- Apple
Partition Map - A parsed Apple Partition Map.
Enums§
- Error
- Crate-level error type. (Manual impl — no
thiserrordependency.) - Severity
- The canonical 5-level severity scale, shared across every SecurityRonin
analyzer via
forensicnomicon::report. Severity of a forensic finding (Info<Low<Medium<High<Critical).
Functions§
- analyse
- Perform a full forensic analysis of an Apple Partition Map.
- analyse_
reader - Analyse an Apple Partition Map read from a seekable image.
- parse
- Parse an Apple Partition Map from a buffer beginning at the device start
(block 0 = Driver Descriptor Map). Returns
Nonewithout theER/PMsignatures or if the buffer is too short.