internal MFTRecord(byte[] mftBytes, int index, ref MFTRecord[] recordArray, string volLetter)
{
// Get byte array representing current record
byte[] recordBytes = getMFTRecordBytes(mftBytes, index);
// Instantiate a FILE_RECORD_HEADER struct from raw MFT Record bytes
FILE_RECORD_HEADER RecordHeader = new FILE_RECORD_HEADER(recordBytes);
// Check MFT Signature (FILE) to ensure bytes actually represent an MFT Record
if (checkMFTRecord(RecordHeader.Magic))
{
RecordNumber = RecordHeader.RecordNo;
Size = RecordHeader.RealSize;
SequenceNumber = RecordHeader.SeqNo;
LogFileSequenceNumber = RecordHeader.LSN;
Links = RecordHeader.Hardlinks;
// Unmask Header Flags
#region HeaderFlags
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.INUSE) == (ushort)FILE_RECORD_FLAG.INUSE)
{
Deleted = false;
}
else
{
Deleted = true;
}
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.DIR) == (ushort)FILE_RECORD_FLAG.DIR)
{
Directory = true;
}
else
{
Directory = false;
}
#endregion HeaderFlags
List <Attr> AttributeList = new List <Attr>();
int offsetToATTR = RecordHeader.OffsetOfAttr;
while (offsetToATTR < (RecordHeader.RealSize - 8))
{
//sw.Start();
int offset = offsetToATTR;
Attr attr = AttributeFactory.Get(recordBytes, offset, out offsetToATTR);
if (attr != null)
{
if (attr.Name == "STANDARD_INFORMATION")
{
StandardInformation stdInfo = attr as StandardInformation;
ModifiedTime = stdInfo.ModifiedTime;
AccessedTime = stdInfo.AccessedTime;
ChangedTime = stdInfo.ChangedTime;
BornTime = stdInfo.BornTime;
Permission = stdInfo.Permission;
}
else if (attr.Name == "FILE_NAME")
{
FileName fN = attr as FileName;
if (!(fN.Filename.Contains("~")))
{
Name = fN.Filename;
ParentIndex = fN.ParentIndex;
}
}
AttributeList.Add(attr);
}
}
// Check if MFT Record is for the root directory (should be Record Index 5)
// If index and ParentIndex are not the same then get FullPath
if ((ulong)index != ParentIndex)
{
// Check if ParentIndex Record has already been constructed and added to array
if (recordArray[ParentIndex] == null)
{
recordArray[ParentIndex] = new MFTRecord(mftBytes, (int)ParentIndex, ref recordArray, volLetter);
}
// FullPath equals the ParentIndex FullPath + the current Index Name
// Make more efficient with String Builder
FullPath = recordArray[ParentIndex].FullPath + Name;
if (Directory)
{
FullPath += "\\";
}
}
else
{
FullPath = volLetter;
}
Attribute = AttributeList.ToArray();
}
else
{
}
}
internal MFTRecord(byte[] recordBytes)
{
// Instantiate a FILE_RECORD_HEADER struct from raw MFT Record bytes
FILE_RECORD_HEADER RecordHeader = new FILE_RECORD_HEADER(recordBytes);
// Check MFT Signature (FILE) to ensure bytes actually represent an MFT Record
if (checkMFTRecord(RecordHeader.Magic))
{
RecordNumber = RecordHeader.RecordNo;
Size = RecordHeader.RealSize;
SequenceNumber = RecordHeader.SeqNo;
LogFileSequenceNumber = RecordHeader.LSN;
Links = RecordHeader.Hardlinks;
// Unmask Header Flags
#region HeaderFlags
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.INUSE) == (ushort)FILE_RECORD_FLAG.INUSE)
{
Deleted = false;
}
else
{
Deleted = true;
}
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.DIR) == (ushort)FILE_RECORD_FLAG.DIR)
{
Directory = true;
}
else
{
Directory = false;
}
#endregion HeaderFlags
List <Attr> AttributeList = new List <Attr>();
int offsetToATTR = RecordHeader.OffsetOfAttr;
while (offsetToATTR < (RecordHeader.RealSize - 8))
{
int offset = offsetToATTR;
Attr attr = AttributeFactory.Get(recordBytes, offset, out offsetToATTR);
if (attr != null)
{
if (attr.Name == "STANDARD_INFORMATION")
{
StandardInformation stdInfo = attr as StandardInformation;
ModifiedTime = stdInfo.ModifiedTime;
AccessedTime = stdInfo.AccessedTime;
ChangedTime = stdInfo.ChangedTime;
BornTime = stdInfo.BornTime;
Permission = stdInfo.Permission;
}
else if (attr.Name == "FILE_NAME")
{
FileName fN = attr as FileName;
if (!(fN.Filename.Contains("~")))
{
Name = fN.Filename;
ParentIndex = fN.ParentIndex;
}
}
AttributeList.Add(attr);
}
}
Attribute = AttributeList.ToArray();
}
}
internal MFTRecord(byte[] mftBytes, int index, string volLetter, string fileName)
{
byte[] recordBytes = getMFTRecordBytes(mftBytes, index);
// Instantiate a FILE_RECORD_HEADER struct from raw MFT Record bytes
FILE_RECORD_HEADER RecordHeader = new FILE_RECORD_HEADER(recordBytes);
// Check MFT Signature (FILE) to ensure bytes actually represent an MFT Record
if (checkMFTRecord(RecordHeader.Magic))
{
RecordNumber = RecordHeader.RecordNo;
Size = RecordHeader.RealSize;
SequenceNumber = RecordHeader.SeqNo;
LogFileSequenceNumber = RecordHeader.LSN;
Links = RecordHeader.Hardlinks;
// Unmask Header Flags
#region HeaderFlags
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.INUSE) == (ushort)FILE_RECORD_FLAG.INUSE)
{
Deleted = false;
}
else
{
Deleted = true;
}
if ((RecordHeader.Flags & (ushort)FILE_RECORD_FLAG.DIR) == (ushort)FILE_RECORD_FLAG.DIR)
{
Directory = true;
}
else
{
Directory = false;
}
#endregion HeaderFlags
List <Attr> AttributeList = new List <Attr>();
int offsetToATTR = RecordHeader.OffsetOfAttr;
//System.Diagnostics.Stopwatch sw = new System.Diagnostics.Stopwatch();
while (offsetToATTR < (RecordHeader.RealSize - 8))
{
//sw.Start();
int offset = offsetToATTR;
Attr attr = AttributeFactory.Get(recordBytes, offset, out offsetToATTR);
if (attr != null)
{
if (attr.Name == "STANDARD_INFORMATION")
{
StandardInformation stdInfo = attr as StandardInformation;
ModifiedTime = stdInfo.ModifiedTime;
AccessedTime = stdInfo.AccessedTime;
ChangedTime = stdInfo.ChangedTime;
BornTime = stdInfo.BornTime;
Permission = stdInfo.Permission;
}
else if (attr.Name == "FILE_NAME")
{
FileName fN = attr as FileName;
if (!(fN.Filename.Contains("~")))
{
Name = fN.Filename;
ParentIndex = fN.ParentIndex;
}
}
AttributeList.Add(attr);
//sw.Stop();
//Console.WriteLine("Attribute Name: {0}", attr.Name);
//Console.WriteLine("Elapsed: {0}", sw.ElapsedMilliseconds);
}
}
Attribute = AttributeList.ToArray();
if (RecordNumber == ParentIndex)
{
FullPath = volLetter;
}
else
{
if (fileName != null)
{
FullPath = fileName;
}
else
{
MFTRecord parent = new MFTRecord(mftBytes, (int)ParentIndex, volLetter, fileName);
FullPath = parent.FullPath + Name;
}
if (Directory)
{
FullPath += '\\';
}
}
}
}
