public void ParseNonResidentAttribute(AttributeIndexAllocation alloc) { if (alloc.NonResidentHeader.Fragments.Count > 0) { alloc.ParseAttributeNonResidentBody(this); } }
private static void PrettyPrintAttribute(NTFSParser parser, Options options, FileRecord record, Attribute attrib, int indentCount) { string indent = ""; for (int i = 0; i < indentCount; i++) { indent += SingleIndent; } AwesomeConsole.Write(indent + attrib.Id + ": "); PrintType(attrib.Type); AwesomeConsole.Write(" "); PrintName(attrib.AttributeName, true, true); if (attrib.NonResidentFlag == ResidentFlag.NonResident) { AwesomeConsole.Write(" (NonResident)", ConsoleColor.Red); } AwesomeConsole.WriteLine(); indent += SingleIndent; switch (attrib.Type) { case AttributeType.STANDARD_INFORMATION: AttributeStandardInformation standardInformation = (AttributeStandardInformation)attrib; AwesomeConsole.WriteLine(indent + "Creation Time: " + standardInformation.TimeCreated + " " + standardInformation.TimeCreated.Kind); AwesomeConsole.WriteLine(indent + "Modified Time: " + standardInformation.TimeModified + " " + standardInformation.TimeModified.Kind); AwesomeConsole.WriteLine(indent + "Accessed Time: " + standardInformation.TimeAccessed + " " + standardInformation.TimeAccessed.Kind); AwesomeConsole.WriteLine(indent + "Mft Modified : " + standardInformation.TimeMftModified + " " + standardInformation.TimeMftModified.Kind); break; case AttributeType.ATTRIBUTE_LIST: AttributeList list = (AttributeList)attrib; foreach (AttributeListItem listItem in list.Items) { AwesomeConsole.Write(indent + listItem.AttributeId + ": "); PrintType(listItem.Type); AwesomeConsole.Write(" "); PrintName(listItem.Name, true, true); AwesomeConsole.Write(" "); if (record.FileReference == listItem.BaseFile) { AwesomeConsole.Write("(this record)", ConsoleColor.DarkGray); } else { PrintReference(listItem.BaseFile); } AwesomeConsole.WriteLine(); } break; case AttributeType.FILE_NAME: AttributeFileName fileName = (AttributeFileName)attrib; using (AwesomeConsole.BeginSequentialWrite()) { AwesomeConsole.Write(indent + "Parent dir: "); AwesomeConsole.WriteLine(fileName.ParentDirectory, ConsoleColor.Cyan); } AwesomeConsole.WriteLine(indent + "Namespace: " + fileName.FilenameNamespace); AwesomeConsole.Write(indent + "Flags: "); PrintEnums(fileName.FileFlags); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "Name: "); PrintName(fileName.FileName, false, true); AwesomeConsole.WriteLine(); AwesomeConsole.WriteLine(indent + "C Time: " + fileName.CTime + " " + fileName.CTime.Kind); AwesomeConsole.WriteLine(indent + "M Time: " + fileName.MTime + " " + fileName.MTime.Kind); AwesomeConsole.WriteLine(indent + "A Time: " + fileName.ATime + " " + fileName.ATime.Kind); AwesomeConsole.WriteLine(indent + "R Time: " + fileName.RTime + " " + fileName.RTime.Kind); break; case AttributeType.DATA: AttributeData data = (AttributeData)attrib; if (data.NonResidentFlag == ResidentFlag.Resident) { AwesomeConsole.WriteLine(indent + "Data length: {0:N0} Bytes", data.ResidentHeader.ContentLength); } else { AwesomeConsole.WriteLine(indent + "Data length: {0:N0} Bytes", data.NonResidentHeader.ContentSize); AwesomeConsole.Write(indent + "VCN: "); PrintRange(parser, options, data.NonResidentHeader.StartingVCN, data.NonResidentHeader.EndingVCN - data.NonResidentHeader.StartingVCN); AwesomeConsole.WriteLine(); AwesomeConsole.WriteLine(indent + "Fragments: {0:N0}", data.NonResidentHeader.Fragments.Length); AwesomeConsole.WriteLine(indent + SingleIndent + "LCN-range, cluster count, VCN-range", ConsoleColor.DarkGray); foreach (DataFragment fragment in data.NonResidentHeader.Fragments) { AwesomeConsole.Write(indent + SingleIndent); PrintRange(parser, options, fragment.LCN, fragment.Clusters); AwesomeConsole.Write(SingleIndent); PrintSize(parser, options, fragment.Clusters); AwesomeConsole.Write(SingleIndent); PrintRange(parser, options, fragment.StartingVCN, fragment.Clusters); if (fragment.IsCompressed) { AwesomeConsole.Write(" (Compressed)"); } if (fragment.IsSparseFragment) { AwesomeConsole.Write(" (Sparse)"); } AwesomeConsole.WriteLine(); } } break; case AttributeType.OBJECT_ID: AttributeObjectId objectId = (AttributeObjectId)attrib; AwesomeConsole.Write(indent + "ObjectId : "); PrintGUID(objectId.ObjectId); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "BithVolumeId: "); PrintGUID(objectId.BithVolumeId); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "BithObjectId: "); PrintGUID(objectId.BithObjectId); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "DomainId : "); PrintGUID(objectId.DomainId); AwesomeConsole.WriteLine(); break; case AttributeType.SECURITY_DESCRIPTOR: AttributeSecurityDescriptor securityDescriptor = (AttributeSecurityDescriptor)attrib; AwesomeConsole.Write(indent + "SID: "); PrintSID(securityDescriptor.UserSID); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "GID: "); PrintSID(securityDescriptor.GroupSID); AwesomeConsole.WriteLine(); AwesomeConsole.Write(indent + "Flags: "); PrintEnums(securityDescriptor.ControlFlags); AwesomeConsole.WriteLine(); AwesomeConsole.WriteLine(); AwesomeConsole.WriteLine(indent + "SACL: " + (securityDescriptor.SACL == null ? 0 : securityDescriptor.SACL.ACECount)); if (securityDescriptor.SACL == null) { AwesomeConsole.WriteLine(indent + SingleIndent + "Not present", ConsoleColor.Red); } else { foreach (ACE ace in securityDescriptor.SACL.ACEs) { PrintACE(indent, ace); } } AwesomeConsole.WriteLine(indent + "DACL: " + (securityDescriptor.DACL == null ? 0 : securityDescriptor.DACL.ACECount)); if (securityDescriptor.DACL == null) { AwesomeConsole.WriteLine(indent + SingleIndent + "Not present", ConsoleColor.Red); } else { foreach (ACE ace in securityDescriptor.DACL.ACEs) { PrintACE(indent, ace); } } break; case AttributeType.VOLUME_NAME: AttributeVolumeName volumeName = (AttributeVolumeName)attrib; AwesomeConsole.Write(indent + "Name: "); PrintName(volumeName.VolumeName); AwesomeConsole.WriteLine(); break; case AttributeType.VOLUME_INFORMATION: AttributeVolumeInformation volumeInformation = (AttributeVolumeInformation)attrib; AwesomeConsole.WriteLine(indent + "Reserved: " + volumeInformation.Reserved); AwesomeConsole.WriteLine(indent + "MajorVersion: " + volumeInformation.MajorVersion + "." + volumeInformation.MinorVersion); AwesomeConsole.Write(indent + "VolumeInformationFlag: "); PrintEnums(volumeInformation.VolumeInformationFlag); AwesomeConsole.WriteLine(); break; case AttributeType.INDEX_ROOT: AttributeIndexRoot indexRoot = (AttributeIndexRoot)attrib; AwesomeConsole.WriteLine(indent + "IndexType: " + indexRoot.IndexType); AwesomeConsole.WriteLine(indent + "CollationRule: " + indexRoot.CollationRule); AwesomeConsole.WriteLine(indent + "IndexAllocationSize: " + indexRoot.IndexAllocationSize); AwesomeConsole.WriteLine(indent + "ClustersPrIndexRecord: " + indexRoot.ClustersPrIndexRecord); AwesomeConsole.WriteLine(); AwesomeConsole.WriteLine(indent + "SizeOfIndexTotal: " + indexRoot.SizeOfIndexTotal); AwesomeConsole.WriteLine(indent + "IndexFlags: " + indexRoot.IndexFlags); AwesomeConsole.WriteLine(indent + "Entries: " + indexRoot.Entries.Length); foreach (IndexEntry entry in indexRoot.Entries) { AwesomeConsole.Write(indent + SingleIndent); PrintReference(entry.FileRefence); if (entry.ChildFileName != null) { AwesomeConsole.Write(" "); PrintName(entry.ChildFileName.FileName, true); AwesomeConsole.Write(" "); PrintEnums(entry.ChildFileName.FileFlags); } AwesomeConsole.WriteLine(); } break; case AttributeType.INDEX_ALLOCATION: AttributeIndexAllocation indexAllocation = (AttributeIndexAllocation)attrib; AwesomeConsole.WriteLine(indent + "Chunks: " + indexAllocation.Indexes.Length); for (int i = 0; i < indexAllocation.Indexes.Length; i++) { IndexAllocationChunk chunk = indexAllocation.Indexes[i]; AwesomeConsole.WriteLine(indent + SingleIndent + string.Format("{0:N0}: {1:N0} of {2:N0} Bytes used", i, chunk.SizeOfIndexTotal, chunk.SizeOfIndexAllocated)); } AwesomeConsole.WriteLine(indent + "Entries: " + indexAllocation.Entries.Length); foreach (IndexEntry entry in indexAllocation.Entries) { AwesomeConsole.Write(indent + SingleIndent); PrintReference(entry.FileRefence); if (entry.ChildFileName != null) { AwesomeConsole.Write(" "); PrintName(entry.ChildFileName.FileName, true); AwesomeConsole.Write(" "); PrintEnums(entry.ChildFileName.FileFlags); } AwesomeConsole.WriteLine(); } break; case AttributeType.BITMAP: AttributeBitmap bitmap = (AttributeBitmap)attrib; AwesomeConsole.WriteLine(indent + "Bitfield Size: {0:N0} ({1:N0} bytes)", bitmap.Bitfield.Length, bitmap.Bitfield.Length / 8); // Print out 4 lines of 64 bits const int bitsPrLine = 64; for (int line = 0; line < 4; line++) { if (bitmap.Bitfield.Length <= line * bitsPrLine) { break; } AwesomeConsole.Write(indent + "{0,-6}", (line * bitsPrLine) + ":"); for (int offset = line * bitsPrLine; offset < line * bitsPrLine + bitsPrLine; offset += 8) { if (bitmap.Bitfield.Length <= offset) { break; } for (int j = offset; j < offset + 8; j++) { if (bitmap.Bitfield.Length <= j) { break; } AwesomeConsole.Write(bitmap.Bitfield[j] ? "1" : "0"); } AwesomeConsole.Write(" "); } AwesomeConsole.WriteLine(); } if (bitmap.Bitfield.Length > 256) { PrintError(indent + "Bitfield was longer than 256 bits, so the rest wasn't printed."); AwesomeConsole.WriteLine(); } break; case AttributeType.LOGGED_UTILITY_STREAM: AttributeLoggedUtilityStream loggedUtilityStream = (AttributeLoggedUtilityStream)attrib; AwesomeConsole.WriteLine(indent + "Data: {0:N0} Bytes", loggedUtilityStream.Data.Length); break; default: if (Debugger.IsAttached) { Debugger.Break(); } PrintError(attrib.Type + " not supported"); break; } }