Skip to main content

Crate dar_forensic

Crate dar_forensic 

Source
Expand description

Forensic-grade reader and anomaly auditor for Denis Corbin DAR (Disk ARchiver) archives.

Built on the pure-Rust dar parser core: this crate re-exports the reader API and adds the forensic layer — catalogue anomaly detection (DarAudit::audit) and Sleuth Kit bodyfile export (DarBodyfile::bodyfile / DarAudit::write_bodyfile) — graded onto the shared forensicnomicon::report model.

Every anomaly is an observation, never an assertion of intent: the notes say “consistent with …”, and the examiner draws the conclusions.

use dar_forensic::{DarReader, DarAudit};
use std::io::Cursor;

let reader = DarReader::open(Cursor::new(bytes))?;
for anomaly in reader.audit() {
    println!("{anomaly}");
}

Structs§

Anomaly
A single forensic anomaly: an AnomalyKind with its derived severity, stable code, and human-readable note.
DarEntry
Metadata about one archived filesystem object.
DarReader
Read-only DAR archive reader.
SliceReader
A Read + Seek view over a multi-volume DAR archive (base.1.dar, base.2.dar, …) presenting the slices as one contiguous logical stream: slice 1 in full (its header is the archive’s slice header) followed by every later slice with its own slice header stripped. This is byte-identical to the equivalent unsliced archive, so the catalogue and per-entry offsets resolve across slice boundaries with no other change to the reader.

Enums§

AnomalyKind
Classification of a DAR forensic anomaly.
CrcStatus
Outcome of verifying a file entry’s stored CRC against its decompressed data (see DarReader::verify). CRC values are lowercase hex.
DarError
Errors returned by DarReader.
EntryKind
The kind of filesystem object a catalog entry describes.
Severity
The canonical 5-level severity scale, shared across every SecurityRonin analyzer via forensicnomicon::report. Ordered Info < Low < Medium < High < Critical. Severity of a forensic finding (Info < Low < Medium < High < Critical).

Traits§

DarAudit
Forensic analysis over a parsed DAR catalogue: anomaly auditing and bodyfile export. Pure metadata over the already-parsed catalogue — no archive data is read or decoded.
DarBodyfile
Sleuth Kit bodyfile formatting for a parsed DarEntry.