Expand description
§disk-forensic
Point it at any disk image — raw or wrapped in a forensic container — and it decodes the container, identifies the partitioning scheme (MBR, GPT, or Apple Partition Map), and dispatches to the matching forensic parser, so you get the right structural analysis without choosing a crate up front.
container::open sniffs the wrapper by content and decodes E01/EWF, VMDK,
VHDX, VHD, QCOW2, and DMG to a Read + Seek view of the raw disk; ISO 9660
optical images are a filesystem rather than a partitioned disk and are routed
to iso9660_forensic. Everything else is pure orchestration: scheme
detection comes from the
forensicnomicon knowledge base, and every
real parse is delegated to a sibling crate
(mbr_partition_forensic, gpt_partition_forensic, apm_partition_forensic).
// Decode whatever container the evidence arrived in, then analyse the disk.
let opened = disk_forensic::container::open(std::path::Path::new("evidence.E01"))?;
let mut img = opened.reader;
match disk_forensic::analyse_disk(&mut img, opened.size)? {
disk_forensic::DiskReport::Gpt(a) => println!("GPT, {} partitions", a.partitions.len()),
disk_forensic::DiskReport::Mbr(a) => println!("MBR, {} partitions", a.partitions.len()),
disk_forensic::DiskReport::Apm(a) => println!("APM, {} partitions", a.partitions.len()),
}Modules§
- container
- Container-format detection (magic-sniff) — which decoder a disk image needs.
- normalize
- Normalize each scheme’s native analysis into the shared
forensicnomicon::reportmodel, so disk4n6 (and a future GUI) render one uniformReportinstead of N bespokeXxxAnalysistypes. - report
- Human-readable text rendering for disk4n6.
Enums§
- Disk
Report - A full forensic analysis, tagged by the partitioning scheme that was found.
- Error
- Crate-level error.
- Scheme
- A disk partitioning scheme.
Functions§
- analyse_
disk - Detect the partitioning scheme of the disk behind
readerand run the matching forensic parser.