Enum AnomalyKind 

pub enum AnomalyKind {
    IncompleteCatalog {
        entries_recovered: usize,
    },
    AbsolutePath {
        path: String,
    },
    ParentTraversal {
        path: String,
    },
    DuplicatePath {
        path: String,
    },
    FutureTimestamp {
        path: String,
        field: &'static str,
        epoch_secs: i64,
    },
    ControlCharsInName {
        path: String,
    },
}

Classification of a DAR forensic anomaly.

Each variant carries the evidence needed to reproduce the observation. The suspicious/benign framing lives in AnomalyKind::note.

Variants

IncompleteCatalog

Catalogue parsing stopped before a clean root end-of-directory — the listing may be truncated. Consistent with a partial/damaged archive or an entry type this reader does not model (parsing stops loudly rather than silently returning a short listing).

Fields

entries_recovered: usize

Number of entries recovered before parsing stopped.

AbsolutePath

An entry’s path is absolute (begins with /). DAR stores paths relative to the archive root, so an absolute path is unusual; on naive extraction it would write outside the destination directory. Consistent with an archive crafted to overwrite system paths.

Fields

path: String

The absolute path (lossy UTF-8).

ParentTraversal

An entry’s path contains a .. parent-directory component. On naive extraction this could escape the destination directory — a path-traversal (“zip-slip”) vector.

Fields

path: String

The traversing path (lossy UTF-8).

DuplicatePath

More than one catalogue entry records the same path. Consistent with a crafted archive in which a later entry shadows an earlier one on extraction (the examiner sees one name but two sets of bytes).

Fields

path: String

The duplicated path (lossy UTF-8).

FutureTimestamp

An entry timestamp lies implausibly far in the future (beyond the year 2100). Consistent with a misconfigured clock on the archiving host or with timestamp tampering.

Fields

path: String

Path of the entry (lossy UTF-8).

field: &'static str

Which timestamp: atime, mtime, or ctime.

epoch_secs: i64

The timestamp, seconds since the Unix epoch.

ControlCharsInName

An entry’s name contains non-printable control bytes (below 0x20, or 0x7f). Consistent with an attempt to obscure the true filename in terminal listings (e.g. an embedded escape sequence or carriage return).

Fields

path: String

The name as lossy UTF-8 (control bytes become U+FFFD on display).

Implementations

impl AnomalyKind

pub fn severity(&self) -> Severity

Severity assigned to this kind — the single source of truth.

pub fn code(&self) -> &'static str

Stable machine-readable code.

pub fn note(&self) -> String

Human-readable description (observation, not a conclusion).

Trait Implementations

impl Clone for AnomalyKind

fn clone(&self) -> AnomalyKind

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for AnomalyKind

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Eq for AnomalyKind

impl PartialEq for AnomalyKind

fn eq(&self, other: &AnomalyKind) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for AnomalyKind