Function scan_memory_buffer 

pub fn scan_memory_buffer(buf: &[u8]) -> Vec<MemoryCarvedRecord>

Scan an arbitrary byte buffer for EVTX record magic and recover plausible records.

Uses a three-phase approach:

1. Byte-scan for 0x2A 0x2A 0x00 0x00 (record magic).
2. Validate record_length field: must be in [28, 65536] and fit within the buffer.
3. Check BinXML token at payload[0] (must be 0x0F FragmentHeader).

Records whose size field would extend beyond the buffer are silently skipped.