internal byte[] GetBytes(VolumeBootRecord VBR)
{
foreach (Attr attr in this.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
if (attr.NonResident)
{
return((attr as NonResident).GetBytes(this.VolumePath, VBR));
}
else
{
return((attr as Data).RawData);
}
}
else if (attr.Name == Attr.ATTR_TYPE.ATTRIBUTE_LIST)
{
AttributeList attrlist = attr as AttributeList;
foreach (AttrRef ar in attrlist.AttributeReference)
{
if (ar.Name == "DATA")
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, true);
return(record.GetBytes());
}
}
}
}
throw new Exception("Could not locate file contents");
}
public static FileRecord[] GetInstances(string volume)
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, 0), volume, true);
byte[] mftBytes = record.GetBytes();
return(GetInstances(mftBytes, volume));
}
public static FileRecord Get(string path, bool fast)
{
string volume = NativeMethods.GetVolumeFromPath(path);
IndexEntry entry = IndexEntry.Get(path);
return(new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, fast));
}
public byte[] GetTestContent(string streamName)
{
foreach (Attr attr in this.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
if (attr.NameString.ToUpper() == streamName.ToUpper())
{
if (attr.NonResident)
{
return((attr as NonResident).GetBytes(this.VolumePath));
}
else
{
return((attr as Data).RawData);
}
}
}
AttributeList attrList = attr as AttributeList;
if (attrList != null)
{
foreach (AttrRef ar in attrList.AttributeReference)
{
if (ar.Name == "DATA")
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, true);
return(record.GetTestContent(streamName));
}
}
}
}
throw new Exception("Could not locate desired stream");
}
public static Bitmap[] GetInstances(string volume)
{
// Get the proper data stream from the FileRecord
NonResident dataStream = Bitmap.GetDataStream(new FileRecord(FileRecord.GetRecordBytes(volume, MftIndex.BITMAP_INDEX), volume, true));
// Call GetInstances to return all associated Bitmap Values
return(GetInstances(dataStream.GetBytes(volume)));
}
public static FileRecord[] GetInstancesByPath(string path)
{
string volume = NativeMethods.GetVolumeFromPath(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(path), volume, true);
byte[] mftBytes = record.GetBytes();
return(GetInstances(mftBytes, volume));
}
public static Bitmap[] GetInstancesByPath(string path)
{
// Get Volume string from specified path
string volume = Helper.GetVolumeFromPath(path);
// Determine Record Number for specified file
IndexEntry entry = IndexEntry.Get(path);
// Get the proper data stream from the FileRecord
NonResident dataStream = Bitmap.GetDataStream(new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, true));
// Call GetInstances to return all associated Bitmap Values
return(GetInstances(dataStream.GetBytes(volume)));
}
// TODO: Add Encoding parameter
// TODO: Add DataStream parameter
#region GetContentMethods
public byte[] GetContent()
{
foreach (FileRecordAttribute attr in this.Attribute)
{
if (attr.Name == FileRecordAttribute.ATTR_TYPE.DATA)
{
if (attr.NameString == "")
{
if (attr.NonResident)
{
return((attr as NonResident).GetBytes(this.VolumePath));
}
else
{
return((attr as Data).RawData);
}
}
}
else if (attr.Name == FileRecordAttribute.ATTR_TYPE.ATTRIBUTE_LIST)
{
VolumeBootRecord vbr = VolumeBootRecord.Get(this.VolumePath);
AttributeList attrlist = attr as AttributeList;
foreach (AttrRef ar in attrlist.AttributeReference)
{
if (ar.Name == "DATA")
{
if (ar.NameString == "")
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, (int)vbr.BytesPerFileRecord, true);
return(record.GetContent());
}
}
}
}
}
throw new Exception("Could not locate file contents");
}
internal static NonResident GetJStream(FileRecord fileRecord)
{
foreach (FileRecordAttribute attr in fileRecord.Attribute)
{
if (attr.NameString == "$J")
{
return(attr as NonResident);
}
AttributeList attrList = attr as AttributeList;
if (attrList != null)
{
foreach (AttrRef ar in attrList.AttributeReference)
{
if (ar.NameString == "$J")
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(fileRecord.VolumePath, (int)ar.RecordNumber), fileRecord.VolumePath, true);
return(GetJStream(record));
}
}
}
}
throw new Exception("No $J attribute found.");
}
internal FileRecord(byte[] recordBytes, string volume, bool fast)
{
VolumePath = volume;
Signature = Encoding.ASCII.GetString(recordBytes, 0x00, 0x04);
if (Signature == "FILE")
{
// Parse File Record Header
OffsetOfUS = BitConverter.ToUInt16(recordBytes, 4);
SizeOfUS = BitConverter.ToUInt16(recordBytes, 6);
UpdateSequenceNumber = BitConverter.ToUInt16(recordBytes, OffsetOfUS);
#region UpdateSequenceArray
UpdateSequenceArray = new byte[(2 * SizeOfUS) - 2];
Array.Copy(recordBytes, (OffsetOfUS + 2), UpdateSequenceArray, 0, UpdateSequenceArray.Length);
#endregion UpdateSequenceArray
LogFileSequenceNumber = BitConverter.ToUInt64(recordBytes, 8);
SequenceNumber = BitConverter.ToUInt16(recordBytes, 16);
Hardlinks = BitConverter.ToUInt16(recordBytes, 18);
OffsetOfAttribute = BitConverter.ToUInt16(recordBytes, 20);
Flags = BitConverter.ToUInt16(recordBytes, 22);
#region Deleted
if ((Flags & (ushort)FILE_RECORD_FLAG.INUSE) == (ushort)FILE_RECORD_FLAG.INUSE)
{
Deleted = false;
}
else
{
Deleted = true;
}
#endregion Deleted
#region Directory
if ((Flags & (ushort)FILE_RECORD_FLAG.DIR) == (ushort)FILE_RECORD_FLAG.DIR)
{
Directory = true;
}
else
{
Directory = false;
}
#endregion Directory
RealSize = BitConverter.ToUInt32(recordBytes, 24);
AllocatedSize = BitConverter.ToUInt32(recordBytes, 28);
ReferenceToBase = BitConverter.ToUInt64(recordBytes, 32);
NextAttrId = BitConverter.ToUInt16(recordBytes, 40);
RecordNumber = BitConverter.ToUInt32(recordBytes, 44);
#region Attribute
// Create a byte array representing the attribute array
byte[] attrArrayBytes = new byte[RealSize - OffsetOfAttribute];
Array.Copy(recordBytes, OffsetOfAttribute, attrArrayBytes, 0, attrArrayBytes.Length);
// Instantiate an empty list of Attr Objects (We don't know how many attributes the record contains)
List <Attr> AttributeList = new List <Attr>();
// Initialize the offset value to 0
int currentOffset = 0;
if (currentOffset < (attrArrayBytes.Length - 8))
{
do
{
// Get attribute size
int attrSizeOffset = currentOffset + 4;
int attrSize = BitConverter.ToInt32(attrArrayBytes, attrSizeOffset);
// Create new byte array with just current attribute's bytes
byte[] currentAttrBytes = new byte[attrSize];
Array.Copy(attrArrayBytes, currentOffset, currentAttrBytes, 0, currentAttrBytes.Length);
// Increment currentOffset
currentOffset += attrSize;
Attr attr = AttributeFactory.Get(currentAttrBytes, volume);
if (attr != null)
{
if (attr.Name == Attr.ATTR_TYPE.STANDARD_INFORMATION)
{
StandardInformation stdInfo = attr as StandardInformation;
ModifiedTime = stdInfo.ModifiedTime;
AccessedTime = stdInfo.AccessedTime;
ChangedTime = stdInfo.ChangedTime;
BornTime = stdInfo.BornTime;
Permission = stdInfo.Permission;
}
else if (attr.Name == Attr.ATTR_TYPE.FILE_NAME)
{
FileName fN = attr as FileName;
if (!(fN.Namespace == 2))
{
Name = fN.Filename;
ParentSequenceNumber = fN.ParentSequenceNumber;
ParentRecordNumber = fN.ParentRecordNumber;
FNModifiedTime = fN.ModifiedTime;
FNAccessedTime = fN.AccessedTime;
FNChangedTime = fN.ChangedTime;
FNBornTime = fN.BornTime;
}
}
AttributeList.Add(attr);
}
} while (currentOffset < (attrArrayBytes.Length - 8));
}
Attribute = AttributeList.ToArray();
#endregion Attribute
#region FullName
if (fast)
{
FullName = Name;
}
else
{
StringBuilder sb = new StringBuilder();
if (RecordNumber == 0)
{
sb.Append(volume.Split('\\')[3]);
sb.Append('\\');
sb.Append(Name);
FullName = sb.ToString();
}
else if (RecordNumber == 5)
{
FullName = volume.Split('\\')[3];
}
else
{
FileRecord parent = new FileRecord(FileRecord.GetRecordBytes(volume, (int)ParentRecordNumber), volume, false);
if (parent.SequenceNumber == this.ParentSequenceNumber)
{
sb.Append(parent.FullName);
}
else
{
sb.Append(@"$OrphanFiles");
}
if (Name != null)
{
sb.Append('\\');
FullName = sb.Append(Name).ToString();
}
else
{
FullName = sb.ToString();
}
}
}
#endregion FullName
}
}
public static FileRecord Get(string volume, int index, bool fast)
{
return(new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, fast));
}
/// <summary>
///
/// </summary>
/// <returns></returns>
public byte[] GetMftSlack()
{
byte[] bytes = FileRecord.GetRecordBytes(this.VolumePath, (int)this.RecordNumber);
return(Helper.GetSubArray(bytes, this.RealSize - 1, this.AllocatedSize - this.RealSize));
}
public static IndexEntry[] GetInstances(string path)
{
string[] paths = path.TrimEnd('\\').Split('\\');
// Determine Volume Name
string volume = Util.GetVolumeFromPath(path);
// Test volume path
Util.getVolumeName(ref volume);
int index = -1;
List <IndexEntry> indexEntryList = new List <IndexEntry>();
for (int i = 0; i < paths.Length; i++)
{
if (index == -1)
{
index = 5;
}
else
{
bool match = false;
foreach (IndexEntry entry in indexEntryList)
{
if (entry.Entry.Filename.ToUpper() == paths[i].ToUpper())
{
index = (int)entry.RecordNumber;
match = true;
}
}
if (!(match))
{
throw new Exception("Path " + path + " not found.");
}
}
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true);
indexEntryList.Clear();
if (record.Directory)
{
foreach (Attr attr in record.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.INDEX_ROOT)
{
try
{
foreach (IndexEntry entry in (attr as IndexRoot).Entries)
{
if (entry.Entry.Namespace != 0x02)
{
StringBuilder sb = new StringBuilder();
sb.Append(path.TrimEnd('\\'));
sb.Append("\\");
sb.Append(entry.Filename);
entry.FullName = sb.ToString();
indexEntryList.Add(entry);
}
}
}
catch
{
return(null);
}
}
else if (attr.Name == Attr.ATTR_TYPE.INDEX_ALLOCATION)
{
// Get INDEX_ALLOCATION bytes
IndexAllocation IA = new IndexAllocation(attr as NonResident, volume);
foreach (IndexEntry entry in IA.Entries)
{
if (entry.Entry.Namespace != 0x02)
{
StringBuilder sb = new StringBuilder();
sb.Append(path.TrimEnd('\\'));
sb.Append("\\");
sb.Append(entry.Filename);
entry.FullName = sb.ToString();
indexEntryList.Add(entry);
}
}
}
}
}
else
{
IndexEntry[] indexArray = new IndexEntry[1];
indexArray[0] = new IndexEntry(record);
return(indexArray);
}
}
return(indexEntryList.ToArray());
}