Expand description
Forensic integrity analysis for VMware VMDK images.
vmdk is a lean Read + Seek reader. vmdk-forensic is the evidence-grade layer
on top of it (the same split as vhdx/vhdx-forensic and ewf/ewf-forensic):
it reparses the raw structure — so it works on images too damaged for some readers —
and reports the redundant-grain-directory, dangling-pointer, recovery, and header
provenance findings that qemu-img and libvmdk discard.
analyse() returns canonical forensicnomicon::report::Findings, so VMDK
findings aggregate alongside every other SecurityRonin analyzer.
use vmdk_forensic::VmdkIntegrity;
use forensicnomicon::report::Severity;
let mut a = VmdkIntegrity::new(std::fs::File::open("disk.vmdk")?);
for finding in a.analyse()? {
if finding.severity >= Some(Severity::Medium) {
println!("[{:?}] {} — {}", finding.severity, finding.code, finding.note);
}
}Structs§
- GdRecovery
Report - Per-entry recovery analysis of the grain directory against its redundant copy.
- Header
Provenance - Provenance read from the 512-byte sparse header — fields other readers discard.
- Integrity
Report - Result of a structural integrity walk (
VmdkIntegrity::check_integrity). - Vmdk
Integrity - Forensic integrity analyzer over any
Read + SeekVMDK source. - Vmdk
Reader - The lean reader, re-exported so this one crate covers read + forensic analysis.
Read-only VMDK container reader, generic over any
Read + Seeksource.
Enums§
- Anomaly
Kind - The kind of a forensic finding. Each variant carries the data its canonical
Findingneeds; severity, code, note, category and MITRE refs are derived from it via theObservationimpl below, so detection sites never spell out presentation logic.