public static byte[] GetBytes(byte[] recordBytes, uint attribute)
{
// Instantiate a FILE_RECORD_HEADER struct from raw MFT Record bytes
MFTRecord.FILE_RECORD_HEADER RecordHeader = new MFTRecord.FILE_RECORD_HEADER(recordBytes);
int offsetToATTR = RecordHeader.OffsetOfAttr;
while (offsetToATTR < (RecordHeader.RealSize - 8))
{
AttrHeader.ATTR_HEADER_COMMON commonAttributeHeader = new AttrHeader.ATTR_HEADER_COMMON(recordBytes.Skip(offsetToATTR).Take(16).ToArray());
if (commonAttributeHeader.ATTRType == attribute)
{
// Return bytes for Attr
return(recordBytes.Skip(offsetToATTR).Take((int)commonAttributeHeader.TotalSize).ToArray());
}
else
{
// Change offsetToATTR to next Attr
offsetToATTR += (int)commonAttributeHeader.TotalSize;
}
}
// Add some sort of exception handling here...
return(null);
}
internal ulong IniSize; // Initialized data size of the stream
internal ATTR_HEADER_NON_RESIDENT(byte[] bytes)
{
commonHeader = new AttrHeader.ATTR_HEADER_COMMON(bytes.Take(16).ToArray());
StartVCN = BitConverter.ToUInt64(bytes, 16);
LastVCN = BitConverter.ToUInt64(bytes, 24);
DataRunOffset = BitConverter.ToUInt16(bytes, 32);
CompUnitSize = BitConverter.ToUInt16(bytes, 34);
Padding = BitConverter.ToUInt32(bytes, 36);
AllocSize = BitConverter.ToUInt64(bytes, 40);
RealSize = BitConverter.ToUInt64(bytes, 48);
IniSize = BitConverter.ToUInt64(bytes, 56);
}
internal static Attr Get(byte[] Bytes, int offset, out int offsetToATTR)
{
// This needs to be looked at...
if (BitConverter.ToUInt32(Bytes.Skip(offset).Take(4).ToArray(), 0) != 0xD0)
{
AttrHeader.ATTR_HEADER_COMMON commonAttributeHeader = new AttrHeader.ATTR_HEADER_COMMON(Bytes.Skip(offset).Take(16).ToArray());
// Get byte[] representing the current attribute
byte[] AttrBytes = Bytes.Skip(offset).Take((int)commonAttributeHeader.TotalSize).ToArray();
// Get byte[] representing the Attribute Name
byte[] NameBytes = AttrBytes.Skip(commonAttributeHeader.NameOffset).Take(commonAttributeHeader.NameLength * 2).ToArray();
// Decode byte[] into Unicode String
string AttrName = Encoding.Unicode.GetString(NameBytes);
// Update offset value
offset += (int)commonAttributeHeader.TotalSize;
// Set offset return
offsetToATTR = offset;
// If attribute is non-resident
if (commonAttributeHeader.NonResident)
{
return(NonResident.Get(AttrBytes, AttrName));
}
// If attribute is resident
else
{
#region ATTRSwitch
switch (commonAttributeHeader.ATTRType)
{
case (Int32)Attr.ATTR_TYPE.STANDARD_INFORMATION:
return(new StandardInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.FILE_NAME:
return(new FileName(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.OBJECT_ID:
return(new ObjectId(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.VOLUME_NAME:
return(new VolumeName(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.VOLUME_INFORMATION:
return(new VolumeInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.DATA:
return(new Data(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.INDEX_ROOT:
//IndexRoot indxRootAttr = IndexRoot.Get(AttrBytes, commonAttributeHeader, AttrHeaderResident, AttrName);
break;
case (Int32)Attr.ATTR_TYPE.EA_INFORMATION:
return(new EAInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.EA:
//
//Console.WriteLine("Attr: EA {0}", commonAttributeHeader.Id);
break;
default:
break;
}
#endregion ATTRSwitch
}
return(null);
}
else
{
offsetToATTR = 1025;
return(null);
}
}
