public ForensicApi()
{
jns = new UsnJournal.Win32Api.USN_JOURNAL_DATA();
}
// This method that will be called when the thread is started
public void UsnHandler()
{
try {
frefQueue = new Queue <UInt64>();
finfo = new ConcurrentDictionary <UInt64, FileInfo>();
jns = new UsnJournal.Win32Api.USN_JOURNAL_DATA();
DriveInfo[] allDrives = DriveInfo.GetDrives();
UsnJournal.NtfsUsnJournal nsf = new UsnJournal.NtfsUsnJournal(allDrives[0]);
String volumename = nsf.VolumeName;
UInt64 MaximumSize = 0x800000;
UInt64 AllocationDelta = 0x100000;
while (true)
{
if (terminate == true)
{
break;
}
if (jsint == false)
{
if (nsf.GetUsnJournalState(ref jns) ==
UsnJournal.NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
jsint = true;
}
}
if (jsint == true)
{
List <UsnJournal.Win32Api.UsnEntry> ue = new List <UsnJournal.Win32Api.UsnEntry>();
UInt32 reason = (uint)(UsnJournal.NtfsUsnJournal.UsnReasonCode.USN_REASON_CLOSE);
nsf.GetUsnJournalEntries(jns,
(uint)reason, out ue,
out jns);
foreach (UsnJournal.Win32Api.UsnEntry el in ue)
{
if (frefQueue.Contains(el.FileReferenceNumber) == false)
{
frefQueue.Enqueue(el.FileReferenceNumber);
uint filesize = 0;
string filename = string.Empty;
string fullfilename = string.Empty;
nsf.GetPathFromFileReference(el.FileReferenceNumber, out filename);
if (filename != null && filename.Length > 1 && (filename[0] == '\\' || filename[0] == '/'))
{
fullfilename = volumename + filename.Substring(1);
}
else
{
fullfilename = volumename + filename;
}
nsf.GetSizeFromFileReference(el.FileReferenceNumber, out filesize);
FileInfo fi = new FileInfo();
fi.filepath = fullfilename;
fi.filesizelow = filesize;
finfo.TryAdd(el.FileReferenceNumber, fi);
// Console.WriteLine(fullfilename + " : " + filesize + " : " + el.FileReferenceNumber.ToString());
if (frefQueue.Count > ConstantVariables.MAX_USN_QUEUE)
{
UInt64 lkey = frefQueue.Dequeue();
FileInfo fn;
finfo.TryRemove(lkey, out fn);
}
}
}
}
for (int i = 0; i < 5; i++)
{
Thread.Sleep(1000);
if (terminate == true)
{
break;
}
}
}
}
catch (Exception ex)
{
}
}
