/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteVerbose("Getting ScheduledJob Instances");
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteVerbose("Getting ShellLink Instances");
WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true);
WriteVerbose("Getting FileRecord Instances");
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteVerbose("Getting UsnJrnl Instances");
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteVerbose("Getting EventRecord Instances");
WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true);
WriteVerbose("Getting DRIVERS Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteVerbose("Getting SAM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteVerbose("Getting SECURITY Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteVerbose("Getting SOFTWARE Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteVerbose("Getting SYSTEM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByVolume":
WriteObject(ShellLink.GetInstances(volume), true);
break;
case "ByPath":
WriteObject(ShellLink.Get(filePath));
break;
}
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}