Skip to main content

Crate disk_forensic

Crate disk_forensic 

Source
Expand description

§disk-forensic

Point it at any disk image — raw or wrapped in a forensic container — and it decodes the container, identifies the partitioning scheme (MBR, GPT, or Apple Partition Map), and dispatches to the matching forensic parser, so you get the right structural analysis without choosing a crate up front.

container::open sniffs the wrapper by content and decodes E01/EWF, VMDK, VHDX, VHD, QCOW2, and DMG to a Read + Seek view of the raw disk; ISO 9660 optical images are a filesystem rather than a partitioned disk and are routed to iso9660_forensic. Everything else is pure orchestration: scheme detection comes from the forensicnomicon knowledge base, and every real parse is delegated to a sibling crate (mbr_partition_forensic, gpt_partition_forensic, apm_partition_forensic).

// Decode whatever container the evidence arrived in, then analyse the disk.
let opened = disk_forensic::container::open(std::path::Path::new("evidence.E01"))?;
let mut img = opened.reader;
match disk_forensic::analyse_disk(&mut img, opened.size)? {
    disk_forensic::DiskReport::Gpt(a) => println!("GPT, {} partitions", a.partitions.len()),
    disk_forensic::DiskReport::Mbr(a) => println!("MBR, {} partitions", a.partitions.len()),
    disk_forensic::DiskReport::Apm(a) => println!("APM, {} partitions", a.partitions.len()),
}

Modules§

container
Container-format detection (magic-sniff) — which decoder a disk image needs.
layout
Bridge an analyzed image’s DiskReport into the livedisk layout model, so the proportional partition bar renders for evidence files (E01, VMDK, …) exactly as it does for a live disk. This is presentation glue only — the authoritative structural analysis stays in the per-scheme reports; here we map partition extents (LBA × sector → byte offsets) onto the unified PhysicalDisk/Partition shape livedisk already knows how to draw.
normalize
Normalize each scheme’s native analysis into the shared forensicnomicon::report model, so disk4n6 (and a future GUI) render one uniform Report instead of N bespoke XxxAnalysis types.
report
Human-readable text rendering for disk4n6.

Enums§

DiskReport
A full forensic analysis, tagged by the partitioning scheme that was found.
Error
Crate-level error.
Scheme
A disk partitioning scheme.

Functions§

analyse_disk
Detect the partitioning scheme of the disk behind reader and run the matching forensic parser.