Crate cfb_forensic

Expand description

cfb-forensic — forensic carving over OLE Compound File Binary ([MS-CFB]) files.

Happy-path reading — live storages/streams, clean-file metadata (CLSID, FILETIMEs, sizes) — is delegated to the mature cfb crate. This crate adds the carving and anomaly layer cfb deliberately hides: the directory entries, sectors, and slack space a spec-faithful reader skips because they are no longer part of the live tree.

let bytes: &[u8] = b"...";
for anomaly in cfb_forensic::audit_bytes(bytes) {
    println!("{} — {}", anomaly.code(), anomaly.note());
}

All findings are observations, hedged “consistent with”, never verdicts — the analyst/tribunal concludes. Format constants come from forensicnomicon::olecf; nothing is hardcoded here.

§Anomaly classes

OLECF-ORPHANED-DIR-ENTRY — a stream/storage directory entry that the live red-black tree no longer reaches: deleted-stream metadata that survived, with name/size/timestamps/start-sector recovered and the stream bytes carved from the still-resident FAT chain.
OLECF-FREE-SECTOR-RESIDUE — a FAT/mini-FAT slot marked free whose backing sector still holds non-zero bytes.
OLECF-SLACK-RESIDUE — non-zero bytes past a stream’s declared size in its final (mini-)sector.
OLECF-STRUCTURE-ANOMALY — a red-black / sibling-cycle / chain-loop / off-file-DIFAT structural violation, or a stream entry whose CLSID / state-bits / FILETIMEs are non-zero ([MS-CFB] §2.6.3 requires them zero) — a tamper tell.
OLECF-ROOT-CLSID — provenance: the root/storage CLSID and the create/modify FILETIMEs CFB carries.

Modules§

raw: Thin, panic-free raw decode of the parts of an OLE Compound File the cfb crate hides: the header, the FAT and mini-FAT sector chains, and the full 128-byte directory-entry array (including entries the live red-black tree no longer reaches). Offsets and sentinels come from forensicnomicon::olecf — never hardcoded here.

Structs§

OrphanDetail: Recovered detail for an orphaned (live-tree-unreachable) directory entry.

Enums§

OlecfAnomaly: A forensic anomaly observed in an OLE Compound File. Each variant maps to a stable, scheme-prefixed code (the published contract).
Scope: How much of the file the audit covered, surfaced on the Source scope.
StructureIssue: Which structural rule a OlecfAnomaly::StructureAnomaly flags.

Functions§

audit_bytes: Audit a compound file’s bytes, returning every anomaly observed. Never panics on malformed or hostile input; a buffer that is not a CFB yields an empty list.
audit_findings: Audit and return canonical Findings, tagged with the producing Source.
live_entry_names: Cross-check helper: the set of live stream/storage names the cfb crate reaches, used by tests/consumers as a sanity oracle against our orphan set. Returns None if cfb cannot open the bytes at all.
read_live_stream: Read a live stream’s bytes via the cfb crate (happy-path extraction), for consumers that want clean-file stream content rather than carved residue.
source: The producing Source for a cfb-forensic finding.