Crate qcow2_forensic 

Forensic anomaly auditor for QCOW2 images.

Reads QCOW2 header facts via qcow2::inspect and grades them into severity-ranked findings on the shared forensicnomicon::report model. Each finding is an observation (“consistent with …”); the examiner draws the conclusions.

Structs

Qcow2Info

Forensically-relevant QCOW2 header facts, parsed leniently — unlike [Qcow2Header::parse], this does not reject backing files, encryption, or unsupported incompatible features, so an analyzer can inspect images the reader cannot decode.

Qcow2RefcountReport

Summary of the refcount metadata and the orphan scan.

Qcow2Snapshot

One internal snapshot recorded in a QCOW2 image.

Enums

Qcow2Anomaly

A QCOW2 image-level forensic anomaly.

Qcow2Error

Severity

Severity of a forensic finding (Info < Low < Medium < High < Critical).

Functions

audit

Audit parsed QCOW2 header facts for forensic anomalies.

audit_orphans

Audit a refcount/orphan report, emitting a single QCOW2-ORPHAN-CLUSTERS finding when clusters reachable through L1/L2 have a host refcount of 0.

audit_path

Inspect and audit a QCOW2 image at path in one step. Surfaces the header- level anomalies, one per-snapshot finding, and an orphan-cluster finding when allocated-but-unreferenced clusters are present. Malformed input surfaces as an error rather than silent emptiness.

audit_snapshots

Audit an enumerated snapshot list, emitting one QCOW2-SNAPSHOT finding per snapshot with its name and creation timestamp.