Crate livedisk_forensic 

livedisk-forensic

Acquisition-integrity analysis of a live block device enumerated by livedisk. Given a PhysicalDisk, analyse returns graded forensicnomicon findings flagging conditions that bear on a forensically sound acquisition of the running system — never a verdict, always an observation:

• LIVE-MOUNTED — a volume is mounted during acquisition (live writes may alter the image).
• LIVE-WRITABLE — the device being acquired is writable (no hardware write-blocker engaged). Emitted only by analyse_target, never by the host overview analyse — on a live host every disk is writable, so it would fire on every device.
• LIVE-REMOVABLE — removable media.
• LIVE-SECTOR-4KN — logical/physical sector sizes differ (512e/4Kn).
• LIVE-SYNTHESIZED — a synthesized container overlay, not a backing physical store.

for disk in livedisk::enumerate()? {
    for finding in livedisk_forensic::analyse(&disk) {
        println!("{}: {}", finding.code, finding.note);
    }
}

Functions

analyse

Analyse a live disk for acquisition-integrity conditions, returning graded findings (empty for a write-protected, unmounted, fixed, non-synthesized disk with matching sector sizes — the ideal acquisition target).

analyse_target

Analyse a disk you intend to acquire (image). Returns everything analyse reports for the host overview, plus the acquisition-target-only LIVE-WRITABLE warning when the device is writable — i.e. no hardware write-blocker is engaged, so imaging could alter the evidence. On a live host every internal disk is writable, so that condition is omitted from the overview analyse (it would fire on every device); it is signal only for the specific device under acquisition.