public static EventRecord[] Get(string path)
{
List<EventRecord> recordList = new List<EventRecord>();
// Get Content of EventLog
FileRecord fileRecord = FileRecord.Get(path, true);
byte[] bytes = fileRecord.GetContent();
// Get EventLog Header
EventLogHeader evtxHeader = new EventLogHeader(bytes);
int chunkOffset = 0x1000;
// Iterate through chunks
for (int i = 0; i < evtxHeader.NumberOfChunks; i++)
{
// Get Chunk Header
ChunkHeader chunkHeader = new ChunkHeader(bytes, chunkOffset);
if(chunkHeader.LastEventRecordNumber == -1)
{
break;
}
int recordOffset = chunkOffset + 0x200;
// Iterate through EventRecords
for (long j = chunkHeader.FirstEventRecordNumber; j <= chunkHeader.LastEventRecordNumber; j++)
{
EventRecord eventRecord = new EventRecord(bytes, chunkOffset, recordOffset, path);
recordList.Add(eventRecord);
recordOffset += (int)eventRecord.Size;
}
// Increment Chunk Offset to point to next chunk
chunkOffset += 0x10000;
}
return recordList.ToArray();
}
public static ForensicTimeline[] GetInstances(EventRecord[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (EventRecord er in input)
{
list.Add(Get(er));
}
return list.ToArray();
}
public static ForensicTimeline Get(EventRecord input)
{
return new ForensicTimeline(input.WriteTime, "MACB", "EVENTLOG", "", input.LogPath, input.ToString());
}