internal static byte[] getFile(string volume, int index)
{
byte[] mftBytes = MasterFileTable.GetBytes(volume);
// Get the FileRecord (MFT Record Entry) for the given inode on the specified volume
MFTRecord MFTRecord = MFTRecord.Get(mftBytes, index, null, null);
if (!(MFTRecord.Directory))
{
foreach (Attr attr in MFTRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = (NonResident)attr;
return(NonResident.GetContent(volume, nonResAttr).ToArray());
}
else
{
Data dataAttr = (Data)attr;
return(dataAttr.RawData);
}
}
}
}
return(null);
}
// I think these belong elsewhere
#region getFile
internal static List <byte> getFile(string volume, FileStream streamToRead, byte[] MFT, string fileName)
{
string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';
int inode = IndexNumber.Get(streamToRead, MFT, fileName);
// Get the FileRecord (MFT Record Entry) for the given inode on the specified volume
MFTRecord MFTRecord = MFTRecord.Get(MFT, inode, volLetter, fileName);
if (!(MFTRecord.Directory))
{
foreach (Attr attr in MFTRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = (NonResident)attr;
return(NonResident.GetContent(volume, nonResAttr));
}
else
{
Data dataAttr = (Data)attr;
return(null);
//return dataAttr.RawData;
}
}
}
}
return(null);
}
internal static List <byte> GetContent(FileStream streamToRead, NonResident nonResAttr)
{
List <byte> DataBytes = new List <byte>();
for (int i = 0; i < nonResAttr.StartCluster.Length; i++)
{
ulong offset = (nonResAttr.StartCluster[i] * 4096);
ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096;
DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length));
}
DataBytes.Take((int)nonResAttr.RealSize);
return(DataBytes);
}
internal static byte[] GetContent(FileStream streamToRead, NonResident nonResAttr)
{
List <byte> DataBytes = new List <byte>();
for (int i = 0; i < nonResAttr.StartCluster.Length; i++)
{
ulong offset = (nonResAttr.StartCluster[i] * 4096);
ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096;
DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length));
}
byte[] contentBytes = new byte[nonResAttr.RealSize];
Array.Copy(DataBytes.ToArray(), 0, contentBytes, 0, contentBytes.Length);
return(contentBytes);
}
public static List <byte> GetContent(string volume, NonResident nonResAttr)
{
List <byte> DataBytes = new List <byte>();
IntPtr hVolume = NativeMethods.getHandle(volume);
FileStream streamToRead = NativeMethods.getFileStream(hVolume);
for (int i = 0; i < nonResAttr.StartCluster.Length; i++)
{
ulong offset = nonResAttr.StartCluster[i] * 4096;
ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096;
DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length));
}
DataBytes.Take((int)nonResAttr.RealSize);
return(DataBytes);
}
public static byte[] getBytes(string volume)
{
byte[] mftBytes = MasterFileTable.GetBytes(volume);
MFTRecord logFileRecord = MFTRecord.Get(mftBytes, 2, null, null);
NonResident data = null;
foreach (Attr attr in logFileRecord.Attribute)
{
if (attr.Name == "DATA")
{
data = attr as NonResident;
break;
}
}
return((NonResident.GetContent(volume, data)).ToArray());
}
internal static byte[] getFile(FileStream streamToRead, MFTRecord mftRecord)
{
if (!(mftRecord.Directory))
{
foreach (Attr attr in mftRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = attr as NonResident;
return(NonResident.GetContent(streamToRead, nonResAttr));
}
else
{
Data dataAttr = attr as Data;
return(dataAttr.RawData);
}
}
}
}
return(null);
}
internal static Attr Get(byte[] Bytes, int offset, out int offsetToATTR)
{
// This needs to be looked at...
if (BitConverter.ToUInt32(Bytes.Skip(offset).Take(4).ToArray(), 0) != 0xD0)
{
AttrHeader.ATTR_HEADER_COMMON commonAttributeHeader = new AttrHeader.ATTR_HEADER_COMMON(Bytes.Skip(offset).Take(16).ToArray());
// Get byte[] representing the current attribute
byte[] AttrBytes = Bytes.Skip(offset).Take((int)commonAttributeHeader.TotalSize).ToArray();
// Get byte[] representing the Attribute Name
byte[] NameBytes = AttrBytes.Skip(commonAttributeHeader.NameOffset).Take(commonAttributeHeader.NameLength * 2).ToArray();
// Decode byte[] into Unicode String
string AttrName = Encoding.Unicode.GetString(NameBytes);
// Update offset value
offset += (int)commonAttributeHeader.TotalSize;
// Set offset return
offsetToATTR = offset;
// If attribute is non-resident
if (commonAttributeHeader.NonResident)
{
return(NonResident.Get(AttrBytes, AttrName));
}
// If attribute is resident
else
{
#region ATTRSwitch
switch (commonAttributeHeader.ATTRType)
{
case (Int32)Attr.ATTR_TYPE.STANDARD_INFORMATION:
return(new StandardInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.FILE_NAME:
return(new FileName(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.OBJECT_ID:
return(new ObjectId(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.VOLUME_NAME:
return(new VolumeName(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.VOLUME_INFORMATION:
return(new VolumeInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.DATA:
return(new Data(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.INDEX_ROOT:
//IndexRoot indxRootAttr = IndexRoot.Get(AttrBytes, commonAttributeHeader, AttrHeaderResident, AttrName);
break;
case (Int32)Attr.ATTR_TYPE.EA_INFORMATION:
return(new EAInformation(AttrBytes, AttrName));
case (Int32)Attr.ATTR_TYPE.EA:
//
//Console.WriteLine("Attr: EA {0}", commonAttributeHeader.Id);
break;
default:
break;
}
#endregion ATTRSwitch
}
return(null);
}
else
{
offsetToATTR = 1025;
return(null);
}
}
internal static List<IndexEntry> Get(FileStream streamToRead, byte[] MFT, int index)
{
MFTRecord fileRecord = MFTRecord.Get(MFT, index, null, null);
NonResident INDX = null;
Console.WriteLine("Count: {0}", fileRecord.Attribute.Length);
foreach (Attr attr in fileRecord.Attribute)
{
if (attr.Name == "INDEX_ALLOCATION")
{
if (attr.NonResident)
{
INDX = (NonResident)attr;
}
}
}
byte[] nonResBytes = NonResident.GetContent(streamToRead, INDX);
List<IndexEntry> indxEntryList = new List<IndexEntry>();
for (int offset = 0; offset < nonResBytes.Length; offset += 4096)
{
byte[] indxBytes = nonResBytes.Skip(offset).Take(4096).ToArray();
INDEX_BLOCK indxBlock = new INDEX_BLOCK(indxBytes.Take(40).ToArray());
byte[] IndexAllocEntryBytes = indxBytes.Skip(64).ToArray();
int offsetIndx = 0;
int offsetIndxPrev = 1;
while ((offsetIndx < IndexAllocEntryBytes.Length) && (offsetIndx != offsetIndxPrev))
{
INDEX_ENTRY indxEntryStruct = new INDEX_ENTRY(IndexAllocEntryBytes.Skip(offsetIndx).ToArray());
offsetIndxPrev = offsetIndx;
offsetIndx += indxEntryStruct.Size;
if (indxEntryStruct.Stream.Length > 66)
{
FileName.ATTR_FILE_NAME fileNameStruct = new FileName.ATTR_FILE_NAME(indxEntryStruct.Stream);
#region indxFlags
StringBuilder indxFlags = new StringBuilder();
if (indxEntryStruct.Flags != 0)
{
if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.SUBNODE) == (int)INDEX_ENTRY_FLAG.SUBNODE)
{
indxFlags.Append("Subnode, ");
}
if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.LAST) == (int)INDEX_ENTRY_FLAG.LAST)
{
indxFlags.Append("Last Entry, ");
}
indxFlags.Length -= 2;
}
#endregion indxFlags
string Name = System.Text.Encoding.Unicode.GetString(fileNameStruct.Name);
IndexEntry indxEntry = new IndexEntry(indxEntryStruct, indxFlags.ToString(), Name);
indxEntryList.Add(indxEntry);
}
}
}
return indxEntryList;
}
