/// <summary> /// The ProcessRecord method reads the raw contents of the Amcache.hve into memory and parses its /// values to create/output AppCompat Objects. /// </summary> protected override void ProcessRecord() { switch (ParameterSetName) { case "ByVolume": WriteObject(Amcache.GetInstances(volume), true); break; case "ByPath": WriteObject(Amcache.GetInstancesByPath(hivePath), true); break; } }
/// <summary> /// /// </summary> /// <param name="volume"></param> /// <returns></returns> public static ForensicTimeline[] GetInstances(string volume) { List <ForensicTimeline> list = new List <ForensicTimeline>(); string volLetter = Helper.GetVolumeLetter(volume); // File System list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume))); // Amcache list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume))); // Prefetch list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume))); // ScheduledJob list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume))); // UserAssist list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume))); // ShellLink list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume))); // UsnJnrl list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume))); // EventLog list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume))); // Registry list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM"))); return(list.ToArray()); }
/*public static ForensicTimeline Get(PSObject input) * { * switch (input.TypeNames[0]) * { * case "PowerForensics.Artifacts.Amcache": * break; * case "PowerForensics.Artifacts.Prefetch": * //return Get(input.BaseObject as Prefetch); * break; * case "PowerForensics.Artifacts.ScheduledJob": * return Get(input.BaseObject as ScheduledJob); * break; * case "PowerForensics.Artifacts.UserAssist": * return Get(input.BaseObject as UserAssist); * break; * case "PowerForensics.Artifacts.ShellLink": * //return Get(input.BaseObject as ShellLink); * break; * case "PowerForensics.Ntfs.FileRecord": * try * { * //return Get(input.BaseObject as FileRecord); * } * catch * { * * } * break; * case "PowerForensics.Ntfs.UsnJrnl": * return Get(input.BaseObject as UsnJrnl); * break; * case "PowerForensics.EventLog.EventRecord": * return Get(input.BaseObject as EventRecord); * break; * case "PowerForensics.Registry.NamedKey": * return Get(input.BaseObject as NamedKey); * break; * default: * Console.WriteLine(input.TypeNames[0]); * break; * } * }*/ /// <summary> /// /// </summary> /// <param name="input"></param> /// <returns></returns> public static ForensicTimeline Get(Amcache input) { return(null); }