Skip to main content

OlecfAnomaly

cfb_forensic

Enum OlecfAnomaly 

Source 
pub enum OlecfAnomaly {
    OrphanedDirEntry(OrphanDetail),
    FreeSectorResidue {
        sid: u32,
        space: &'static str,
        offset: u64,
        residue_len: usize,
    },
    SlackResidue {
        sid: u32,
        name: String,
        space: &'static str,
        slack_len: usize,
    },
    StructureAnomaly(StructureIssue),
    RootClsid {
        sid: u32,
        name: String,
        clsid: String,
        create_time: u64,
        modify_time: u64,
    },
}
Expand description

A forensic anomaly observed in an OLE Compound File. Each variant maps to a stable, scheme-prefixed code (the published contract).

Variants§

§

OrphanedDirEntry(OrphanDetail)

OLECF-ORPHANED-DIR-ENTRY — a stream/storage entry unreachable from the live root tree: deleted-stream metadata that survived.

§

FreeSectorResidue

OLECF-FREE-SECTOR-RESIDUE — a free FAT/mini-FAT slot whose backing sector still holds non-zero bytes.

Fields

§sid: u32

The (mini-)sector id marked free.

§space: &'static str

"FAT" or "mini-FAT".

§offset: u64

Byte offset in the file of the residual sector.

§residue_len: usize

Count of non-zero bytes recovered.

§

SlackResidue

OLECF-SLACK-RESIDUE — non-zero bytes past a stream’s declared size in its final allocated (mini-)sector.

Fields

§sid: u32

The owning entry’s SID.

§name: String

The owning entry’s name.

§space: &'static str

"FAT" or "mini-FAT".

§slack_len: usize

Number of non-zero slack bytes.

§

StructureAnomaly(StructureIssue)

OLECF-STRUCTURE-ANOMALY — a structural / tamper violation.

§

RootClsid

OLECF-ROOT-CLSID — the root/storage CLSID and the FILETIMEs CFB carries.

Fields

§sid: u32

The entry’s SID (0 for the root storage).

§name: String

The entry’s name.

§clsid: String

CLSID rendered as a canonical upper-case GUID string.

§create_time: u64

Creation FILETIME (raw u64).

§modify_time: u64

Modification FILETIME (raw u64).

Implementations§

Source§

impl OlecfAnomaly

Source

pub fn code(&self) -> &'static str

The stable, scheme-prefixed machine code for this anomaly.

Source

pub fn severity(&self) -> Severity

Severity of this anomaly.

Source

pub fn category(&self) -> Category

Analytical lens for this anomaly.

Source

pub fn mitre(&self) -> &'static [&'static str]

MITRE ATT&CK techniques this anomaly is consistent with (never a verdict).

Source

pub fn note(&self) -> String

Human-readable, hedged note.

Source

pub fn to_finding(&self, src: Source) -> Finding

Convert to a canonical Finding. Dynamic codes carry runtime detail, so this uses the forensicnomicon::report builder directly.

Trait Implementations§

Source§

impl Clone for OlecfAnomaly

Source§

fn clone(&self) -> OlecfAnomaly

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for OlecfAnomaly

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Eq for OlecfAnomaly

Source§

impl PartialEq for OlecfAnomaly

Source§

fn eq(&self, other: &OlecfAnomaly) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for OlecfAnomaly

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.