livedisk-forensic 0.1.1

Forensic analyzer for live block devices — acquisition-integrity findings (mounted-during-acquisition, no write-blocker, removable media, 512e/4Kn sector mismatch, synthesized overlay) as graded forensicnomicon report::Finding, built on livedisk-core
Documentation
livedisk-forensic-0.1.1 has been yanked.

livedisk-forensic

Acquisition-integrity analysis of a live block device enumerated by [livedisk]. Given a [PhysicalDisk], [analyse] returns graded [forensicnomicon] findings flagging conditions that bear on a forensically sound acquisition of the running system — never a verdict, always an observation:

  • LIVE-MOUNTED — a volume is mounted during acquisition (live writes may alter the image).
  • LIVE-WRITABLE — the device is writable; no hardware write-blocker detected.
  • LIVE-REMOVABLE — removable media.
  • LIVE-SECTOR-4KN — logical/physical sector sizes differ (512e/4Kn).
  • LIVE-SYNTHESIZED — a synthesized container overlay, not a backing physical store.
for disk in livedisk::enumerate()? {
    for finding in livedisk_forensic::analyse(&disk) {
        println!("{}: {}", finding.code, finding.note);
    }
}
# Ok::<(), livedisk::Error>(())