Example #1
0
        internal static byte[] getFile(string volume, int index)
        {
            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            // Get the FileRecord (MFT Record Entry) for the given inode on the specified volume
            MFTRecord MFTRecord = MFTRecord.Get(mftBytes, index, null, null);

            if (!(MFTRecord.Directory))
            {
                foreach (Attr attr in MFTRecord.Attribute)
                {
                    if (attr.Name == "DATA")
                    {
                        if (attr.NonResident == true)
                        {
                            NonResident nonResAttr = (NonResident)attr;
                            return(NonResident.GetContent(volume, nonResAttr).ToArray());
                        }
                        else
                        {
                            Data dataAttr = (Data)attr;
                            return(dataAttr.RawData);
                        }
                    }
                }
            }
            return(null);
        }
Example #2
0
        // Get all MFT Records for the specified volume (Ex. \\.\C:)
        public static MFTRecord[] GetInstances(string volume, string volLetter)
        {
            // Get MFT as byte array
            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            // Call private GetInstances
            return(GetInstances(mftBytes, volLetter));
        }
Example #3
0
        public static byte[] getBytes(string volume)
        {
            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            MFTRecord logFileRecord = MFTRecord.Get(mftBytes, 2, null, null);

            NonResident data = null;

            foreach (Attr attr in logFileRecord.Attribute)
            {
                if (attr.Name == "DATA")
                {
                    data = attr as NonResident;
                    break;
                }
            }

            return((NonResident.GetContent(volume, data)).ToArray());
        }
Example #4
0
        internal static List<IndexEntry> Get(string volume, int index)
        {

            MFTRecord fileRecord = MFTRecord.Get(MasterFileTable.GetBytes(volume), index, null, null);

            NonResident INDX = null;

            foreach (Attr attr in fileRecord.Attribute)
            {

                if (attr.Name == "INDEX_ALLOCATION")
                {
                    if (attr.NonResident)
                    {

                        INDX = (NonResident)attr;

                    }

                }

            }

            List<byte> nonResBytes = NonResident.GetContent(volume, INDX);

            List<IndexEntry> indxEntryList = new List<IndexEntry>();

            for (int offset = 0; offset < nonResBytes.Count; offset += 4096)
            {

                byte[] indxBytes = nonResBytes.Skip(offset).Take(4096).ToArray();

                INDEX_BLOCK indxBlock = new INDEX_BLOCK(indxBytes.Take(40).ToArray());

                byte[] IndexAllocEntryBytes = indxBytes.Skip(64).ToArray();

                int offsetIndx = 0;
                int offsetIndxPrev = 1;

                while ((offsetIndx < IndexAllocEntryBytes.Length) && (offsetIndx != offsetIndxPrev))
                {

                    INDEX_ENTRY indxEntryStruct = new INDEX_ENTRY(IndexAllocEntryBytes.Skip(offsetIndx).ToArray());

                    offsetIndxPrev = offsetIndx;
                    offsetIndx += indxEntryStruct.Size;
                    if (indxEntryStruct.Stream.Length > 66)
                    {

                        FileName.ATTR_FILE_NAME fileNameStruct = new FileName.ATTR_FILE_NAME(indxEntryStruct.Stream);

                        #region indxFlags

                        StringBuilder indxFlags = new StringBuilder();
                        if (indxEntryStruct.Flags != 0)
                        {
                            if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.SUBNODE) == (int)INDEX_ENTRY_FLAG.SUBNODE)
                            {
                                indxFlags.Append("Subnode, ");
                            }
                            if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.LAST) == (int)INDEX_ENTRY_FLAG.LAST)
                            {
                                indxFlags.Append("Last Entry, ");
                            }
                            indxFlags.Length -= 2;
                        }

                        #endregion indxFlags

                        string Name = System.Text.Encoding.Unicode.GetString(fileNameStruct.Name);
                        IndexEntry indxEntry = new IndexEntry(indxEntryStruct, indxFlags.ToString(), Name);
                        indxEntryList.Add(indxEntry);

                    }

                }

            }

            return indxEntryList;
        }