public static Prefetch[] GetInstances(string volume)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volLetter + @"\Windows\Prefetch";
if (Directory.Exists(pfPath))
{
var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf");
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes(VBR));
i++;
}
}
return(pfArray);
}
else
{
throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled.");
}
}
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Util.getVolumeName(ref volume);
// Get a handle to the volume
IntPtr hVolume = Util.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = Util.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volume.Split('\\')[3] + @"\Windows\Prefetch";
/*if(CheckStatus(volume.Split('\\')[3] + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
* {*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(Util.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetContent(VBR));
i++;
}
}
return(pfArray);
/*}
* else
* {
* throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
* }*/
}
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Helper.getVolumeName(ref volume);
using (FileStream streamToRead = Helper.getFileStream(volume))
{
NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord;
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch";
/*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
* {*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(FileRecord.Get(volume, (int)entry.RecordNumber, true).GetContent(VBR));
i++;
}
}
return(pfArray);
/*}
* else
* {
* throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
* }*/
}
}
public static Prefetch[] GetInstances(string volume, bool fast)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = null;
try
{
fileBytes = File.ReadAllBytes(pfFiles[i]);
}
catch (ArgumentException)
{
throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()");
}
catch (PathTooLongException)
{
throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()");
}
catch (DirectoryNotFoundException)
{
throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()");
}
catch (IOException)
{
throw new IOException("IOException thrown by Prefetch.GetInstance()");
}
catch (UnauthorizedAccessException)
{
throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()");
}
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return(pfArray);
}
else
{
return(null);
}
}
public static Prefetch[] GetInstances(string volume, bool fast)
{
// Get current volume
Helper.getVolumeName(ref volume);
// Get volume letter
string volLetter = Helper.GetVolumeLetter(volume);
// Build Prefetch directory path
string prefetchPath = volLetter + @"\Windows\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = null;
try
{
fileBytes = File.ReadAllBytes(pfFiles[i]);
}
catch (ArgumentException)
{
throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()");
}
catch(PathTooLongException)
{
throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()");
}
catch (DirectoryNotFoundException)
{
throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()");
}
catch (IOException)
{
throw new IOException("IOException thrown by Prefetch.GetInstance()");
}
catch (UnauthorizedAccessException)
{
throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()");
}
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return pfArray;
}
else
{
return null;
}
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Helper.getVolumeName(ref volume);
using (FileStream streamToRead = Helper.getFileStream(volume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch";
/*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
{*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach(IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(Helper.GetSubArray(MFT, (int)entry.RecordNumber * 0x400, 0x400), volume, true).GetContent(VBR));
i++;
}
}
return pfArray;
/*}
else
{
throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
}*/
}
}
public static ForensicTimeline[] GetInstances(Prefetch[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (Prefetch pf in input)
{
foreach (ForensicTimeline t in Get(pf))
{
list.Add(t);
}
}
return list.ToArray();
}
public static ForensicTimeline[] Get(Prefetch input)
{
List<ForensicTimeline> mactimeList = new List<ForensicTimeline>();
foreach (DateTime time in input.PrefetchAccessTime)
{
mactimeList.Add(new ForensicTimeline(time, "MACB", "PREFETCH", "", input.Path, input.ToString()));
}
return mactimeList.ToArray();
}
public static Mactime[] Get(Prefetch pf)
{
return null;
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volLetter + @"\Windows\Prefetch";
if (Directory.Exists(pfPath))
{
var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf");
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
int i = 0;
foreach(IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes(VBR));
i++;
}
}
return pfArray;
}
else
{
throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled.");
}
}
}
