internal static byte[] getFile(string volume, int index)
{
byte[] mftBytes = MasterFileTable.GetBytes(volume);
// Get the FileRecord (MFT Record Entry) for the given inode on the specified volume
MFTRecord MFTRecord = MFTRecord.Get(mftBytes, index, null, null);
if (!(MFTRecord.Directory))
{
foreach (Attr attr in MFTRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = (NonResident)attr;
return(NonResident.GetContent(volume, nonResAttr).ToArray());
}
else
{
Data dataAttr = (Data)attr;
return(dataAttr.RawData);
}
}
}
}
return(null);
}
// I think these belong elsewhere
#region getFile
internal static List <byte> getFile(string volume, FileStream streamToRead, byte[] MFT, string fileName)
{
string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';
int inode = IndexNumber.Get(streamToRead, MFT, fileName);
// Get the FileRecord (MFT Record Entry) for the given inode on the specified volume
MFTRecord MFTRecord = MFTRecord.Get(MFT, inode, volLetter, fileName);
if (!(MFTRecord.Directory))
{
foreach (Attr attr in MFTRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = (NonResident)attr;
return(NonResident.GetContent(volume, nonResAttr));
}
else
{
Data dataAttr = (Data)attr;
return(null);
//return dataAttr.RawData;
}
}
}
}
return(null);
}
public static byte[] getBytes(string volume)
{
byte[] mftBytes = MasterFileTable.GetBytes(volume);
MFTRecord logFileRecord = MFTRecord.Get(mftBytes, 2, null, null);
NonResident data = null;
foreach (Attr attr in logFileRecord.Attribute)
{
if (attr.Name == "DATA")
{
data = attr as NonResident;
break;
}
}
return((NonResident.GetContent(volume, data)).ToArray());
}
internal static byte[] getFile(FileStream streamToRead, MFTRecord mftRecord)
{
if (!(mftRecord.Directory))
{
foreach (Attr attr in mftRecord.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident == true)
{
NonResident nonResAttr = attr as NonResident;
return(NonResident.GetContent(streamToRead, nonResAttr));
}
else
{
Data dataAttr = attr as Data;
return(dataAttr.RawData);
}
}
}
}
return(null);
}
internal static List<IndexEntry> Get(FileStream streamToRead, byte[] MFT, int index)
{
MFTRecord fileRecord = MFTRecord.Get(MFT, index, null, null);
NonResident INDX = null;
Console.WriteLine("Count: {0}", fileRecord.Attribute.Length);
foreach (Attr attr in fileRecord.Attribute)
{
if (attr.Name == "INDEX_ALLOCATION")
{
if (attr.NonResident)
{
INDX = (NonResident)attr;
}
}
}
byte[] nonResBytes = NonResident.GetContent(streamToRead, INDX);
List<IndexEntry> indxEntryList = new List<IndexEntry>();
for (int offset = 0; offset < nonResBytes.Length; offset += 4096)
{
byte[] indxBytes = nonResBytes.Skip(offset).Take(4096).ToArray();
INDEX_BLOCK indxBlock = new INDEX_BLOCK(indxBytes.Take(40).ToArray());
byte[] IndexAllocEntryBytes = indxBytes.Skip(64).ToArray();
int offsetIndx = 0;
int offsetIndxPrev = 1;
while ((offsetIndx < IndexAllocEntryBytes.Length) && (offsetIndx != offsetIndxPrev))
{
INDEX_ENTRY indxEntryStruct = new INDEX_ENTRY(IndexAllocEntryBytes.Skip(offsetIndx).ToArray());
offsetIndxPrev = offsetIndx;
offsetIndx += indxEntryStruct.Size;
if (indxEntryStruct.Stream.Length > 66)
{
FileName.ATTR_FILE_NAME fileNameStruct = new FileName.ATTR_FILE_NAME(indxEntryStruct.Stream);
#region indxFlags
StringBuilder indxFlags = new StringBuilder();
if (indxEntryStruct.Flags != 0)
{
if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.SUBNODE) == (int)INDEX_ENTRY_FLAG.SUBNODE)
{
indxFlags.Append("Subnode, ");
}
if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.LAST) == (int)INDEX_ENTRY_FLAG.LAST)
{
indxFlags.Append("Last Entry, ");
}
indxFlags.Length -= 2;
}
#endregion indxFlags
string Name = System.Text.Encoding.Unicode.GetString(fileNameStruct.Name);
IndexEntry indxEntry = new IndexEntry(indxEntryStruct, indxFlags.ToString(), Name);
indxEntryList.Add(indxEntry);
}
}
}
return indxEntryList;
}
