Crate disk_forensic

Expand description

§disk-forensic

Point it at any disk image and it identifies the partitioning scheme — MBR, GPT, or Apple Partition Map — and dispatches to the matching forensic parser, so you get the right structural analysis without choosing a crate up front.

It is pure orchestration: scheme detection comes from the forensicnomicon knowledge base, and every real parse is delegated to a sibling crate (mbr_forensic, gpt_forensic, apm_forensic). Like them, it works over any Read + Seek, so it composes with the container crates (ewf, vhd, …) for E01/VHD/VMDK evidence.

use std::fs::File;
let mut img = File::open("disk.img")?;
let size = img.metadata()?.len();
match disk_forensic::analyse_disk(&mut img, size)? {
    disk_forensic::DiskReport::Gpt(a) => println!("GPT, {} partitions", a.partitions.len()),
    disk_forensic::DiskReport::Mbr(a) => println!("MBR, {} partitions", a.partitions.len()),
    disk_forensic::DiskReport::Apm(a) => println!("APM, {} partitions", a.partitions.len()),
}

Modules§

normalize: Normalize each scheme’s native analysis into the shared forensicnomicon::report model, so disk4n6 (and a future GUI) render one uniform Report instead of N bespoke XxxAnalysis types.
report: Human-readable text rendering for disk4n6.

Enums§

DiskReport: A full forensic analysis, tagged by the partitioning scheme that was found.
Error: Crate-level error.
Scheme: A disk partitioning scheme.

Functions§

analyse_disk: Detect the partitioning scheme of the disk behind reader and run the matching forensic parser.