/// <summary>
/// The ProcessRecord method reads the raw contents of the Amcache.hve into memory and parses its
/// values to create/output AppCompat Objects.
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByVolume":
WriteObject(Amcache.GetInstances(volume), true);
break;
case "ByPath":
WriteObject(Amcache.GetInstancesByPath(hivePath), true);
break;
}
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}
/*public static ForensicTimeline Get(PSObject input)
* {
* switch (input.TypeNames[0])
* {
* case "PowerForensics.Artifacts.Amcache":
* break;
* case "PowerForensics.Artifacts.Prefetch":
* //return Get(input.BaseObject as Prefetch);
* break;
* case "PowerForensics.Artifacts.ScheduledJob":
* return Get(input.BaseObject as ScheduledJob);
* break;
* case "PowerForensics.Artifacts.UserAssist":
* return Get(input.BaseObject as UserAssist);
* break;
* case "PowerForensics.Artifacts.ShellLink":
* //return Get(input.BaseObject as ShellLink);
* break;
* case "PowerForensics.Ntfs.FileRecord":
* try
* {
* //return Get(input.BaseObject as FileRecord);
* }
* catch
* {
*
* }
* break;
* case "PowerForensics.Ntfs.UsnJrnl":
* return Get(input.BaseObject as UsnJrnl);
* break;
* case "PowerForensics.EventLog.EventRecord":
* return Get(input.BaseObject as EventRecord);
* break;
* case "PowerForensics.Registry.NamedKey":
* return Get(input.BaseObject as NamedKey);
* break;
* default:
* Console.WriteLine(input.TypeNames[0]);
* break;
* }
* }*/
/// <summary>
///
/// </summary>
/// <param name="input"></param>
/// <returns></returns>
public static ForensicTimeline Get(Amcache input)
{
return(null);
}
