public LightweightMFTRecord(MFTRecord record) { FileName = record.FileName; IsDirectory = record.IsDirectory; RecordNumber = record.RecordNum; ParentRecord = record.ParentDirectory; }
/// <summary> /// The ProcessRecord instantiates a NTFSVolumeData objects that /// corresponds to the VolumeName that is specified. /// </summary> protected override void ProcessRecord() { Regex lettersOnly = new Regex("^[a-zA-Z]{1}$"); if (lettersOnly.IsMatch(volume)) { volume = @"\\.\" + volume + ":"; } string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\'; WriteDebug("VolumeName: " + volume); byte[] mftBytes = MasterFileTable.GetBytes(volume); if (this.MyInvocation.BoundParameters.ContainsKey("Path")) { int index = IndexNumber.Get(volume, filePath); if (asbytes) { WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index)); } else { WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath)); } } else if (this.MyInvocation.BoundParameters.ContainsKey("Index")) { if (asbytes) { WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber)); } else { WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null)); } } else { MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter); foreach (MFTRecord record in records) { WriteObject(record); } } } // ProcessRecord
/// <summary> /// The ProcessRecord outputs the raw bytes of the specified File /// </summary> protected override void ProcessRecord() { string volume = @"\\.\" + directory.Split('\\')[0]; string volLetter = directory.Split('\\')[0] + '\\'; byte[] mftBytes = MasterFileTable.GetBytes(volume); string[] files = System.IO.Directory.GetFiles(directory); foreach (string file in files) { WriteObject(MFTRecord.Get(mftBytes, IndexNumber.Get(volume, file), volLetter, file)); } } // ProcessRecord
/// <summary> /// The ProcessRecord method calls ManagementClass.GetInstances() /// method to iterate through each BindingObject on each system specified. /// </summary> protected override void ProcessRecord() { Regex lettersOnly = new Regex("^[a-zA-Z]{1}$"); if (lettersOnly.IsMatch(volume)) { volume = @"\\.\" + volume + ":"; } IntPtr hVolume = NativeMethods.getHandle(volume); FileStream streamToRead = NativeMethods.getFileStream(hVolume); VolumeData volData = new VolumeData(hVolume); MFTRecord record = MFTRecord.Get(MasterFileTable.GetBytes(volume), 4, null, null); List <byte> bytes = new List <byte>(); foreach (Attr attr in record.Attribute) { if (attr.Name == "DATA") { if (attr.NonResident) { NonResident data = attr as NonResident; for (int i = 0; i < data.StartCluster.Length; i++) { ulong offset = data.StartCluster[i] * (ulong)volData.BytesPerCluster; ulong length = (data.EndCluster[i] - data.StartCluster[i]) * (ulong)volData.BytesPerCluster; byte[] byteRange = Win32.NativeMethods.readDrive(streamToRead, offset, length); bytes.AddRange(byteRange); } } else { Data data = attr as Data; bytes.AddRange(data.RawData); } } } for (int i = 0; (i < bytes.ToArray().Length) && (bytes.ToArray()[i] != 0); i += 160) { byte[] attrDefBytes = bytes.Skip(i).Take(160).ToArray(); WriteObject(new AttrDef(attrDefBytes)); } streamToRead.Close(); } // ProcessRecord
public static Mactime[] Get(MFTRecord record) { #region DetermineTime Dictionary <DateTime, ACTIVITY_TYPE> dictionary = new Dictionary <DateTime, ACTIVITY_TYPE>(); // Modified Time dictionary[record.ModifiedTime] = ACTIVITY_TYPE.m; // Access Time if (dictionary.ContainsKey(record.AccessedTime)) { dictionary[record.AccessedTime] = dictionary[record.AccessedTime] | ACTIVITY_TYPE.a; } else { dictionary.Add(record.AccessedTime, ACTIVITY_TYPE.a); } // MFT Changed Time if (dictionary.ContainsKey(record.ChangedTime)) { dictionary[record.ChangedTime] = dictionary[record.ChangedTime] | ACTIVITY_TYPE.c; } else { dictionary.Add(record.ChangedTime, ACTIVITY_TYPE.c); } // Born Time if (dictionary.ContainsKey(record.BornTime)) { dictionary[record.BornTime] = dictionary[record.BornTime] | ACTIVITY_TYPE.b; } else { dictionary.Add(record.BornTime, ACTIVITY_TYPE.b); } #endregion DetermineTime List <Mactime> macs = new List <Mactime>(); foreach (var time in dictionary) { macs.Add(new Mactime(time.Key, record.Size, (ushort)time.Value, record.RecordNumber, record.FullPath, record.Deleted)); } return(macs.ToArray()); }
/// <summary> /// The ProcessRecord method calls ManagementClass.GetInstances() /// method to iterate through each BindingObject on each system specified. /// </summary> protected override void ProcessRecord() { // Determine Volume Name string volume = @"\\.\" + path.Split('\\')[0]; // byte[] fileBytes = MFTRecord.getFile(volume, path); // Open file for writing FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write); // Writes a block of bytes to this stream using data from a byte array. streamToWrite.Write(fileBytes, 0, fileBytes.Length); // Close file stream streamToWrite.Close(); } // ProcessRecord
public static Prefetch[] GetInstances() { // Get current volume string volLetter = Directory.GetCurrentDirectory().Split('\\')[0]; string volume = @"\\.\" + volLetter; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead); // Build Prefetch directory path string prefetchPath = volLetter + @"\\Windows\\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, pfFiles[i]).ToArray(); // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return(pfArray); } else { return(null); } } }
/// <summary> /// The ProcessRecord instantiates a NTFSVolumeData objects that /// corresponds to the VolumeName that is specified. /// </summary> protected override void ProcessRecord() { NativeMethods.getVolumeName(ref volume); string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\'; byte[] mftBytes = MasterFileTable.GetBytes(volume); if (this.MyInvocation.BoundParameters.ContainsKey("Path")) { int index = IndexNumber.Get(volume, filePath); if (asbytes) { WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index)); } else { WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath)); } } else if (this.MyInvocation.BoundParameters.ContainsKey("Index")) { if (asbytes) { WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber)); } else { WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null)); } } else { MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter); foreach (MFTRecord record in records) { WriteObject(record); } } } // ProcessRecord
public static Prefetch Get(string filePath) { // Get volume path from filePath string volume = @"\\.\" + filePath.Split('\\')[0]; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead); // Get bytes for specific Prefetch file byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, filePath).ToArray(); // Return a Prefetch object for the Prefetch file stored at filePath return(new Prefetch(fileBytes)); } }
/// <summary> /// The ProcessRecord method calls ManagementClass.GetInstances() /// method to iterate through each BindingObject on each system specified. /// </summary> protected override void ProcessRecord() { Regex lettersOnly = new Regex("^[a-zA-Z]{1}$"); if (lettersOnly.IsMatch(volume)) { volume = @"\\.\" + volume + ":"; } WriteDebug("VolumeName: " + volume); byte[] recordBytes = MFTRecord.getMFTRecordBytes(volume, indexNumber); if (asbytes) { WriteObject(Attr.GetBytes(recordBytes, attribute)); } else { WriteObject(Attr.Get(recordBytes, attribute)); } } // ProcessRecord
public static Prefetch Get(string volume, FileStream streamToRead, byte[] MFT, string prefetchPath) { // Get bytes for specific Prefetch file byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, prefetchPath).ToArray(); // Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07 if (checkPfMagic(fileBytes)) { // Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP) byte pfVersion = fileBytes[0]; string appName = null; string[] dependencyArray = null; appName = System.Text.Encoding.Unicode.GetString((fileBytes.Skip(0x10).Take(0x3C).ToArray())).TrimEnd('\0'); dependencyArray = getPfDependencies(getPfDependencySection(fileBytes)); Prefetch prefetch = new Prefetch( Enum.GetName(typeof(PREFETCH_VERSION), pfVersion), appName, getPfPathHash(fileBytes), getPfAccessTime(pfVersion, fileBytes), dependencyArray, dependencyArray.Length, getPfPath(appName, dependencyArray), getPfDeviceCount(fileBytes), getPfRunCount(pfVersion, fileBytes) ); return(prefetch); } else { return(null); } }
/// <summary> /// The ProcessRecord outputs the raw bytes of the specified File /// </summary> protected override void ProcessRecord() { int indexNo = 0; byte[] contentArray = null; #region Encoding System.Text.Encoding contentEncoding = System.Text.Encoding.Default; bool asBytes = false; if (this.MyInvocation.BoundParameters.ContainsKey("Encoding")) { if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii) { contentEncoding = System.Text.Encoding.ASCII; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode) { contentEncoding = System.Text.Encoding.BigEndianUnicode; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte) { asBytes = true; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String) { contentEncoding = System.Text.Encoding.Unicode; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode) { contentEncoding = System.Text.Encoding.Unicode; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown) { asBytes = true; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7) { contentEncoding = System.Text.Encoding.UTF7; } else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8) { contentEncoding = System.Text.Encoding.UTF8; } } #endregion Encoding if (this.MyInvocation.BoundParameters.ContainsKey("Path")) { string volLetter = filePath.Split('\\')[0]; string volume = @"\\.\" + volLetter; indexNo = NTFS.IndexNumber.Get(volume, filePath); contentArray = MFTRecord.getFile(volume, indexNo); } else if (this.MyInvocation.BoundParameters.ContainsKey("IndexNumber")) { Regex lettersOnly = new Regex("^[a-zA-Z]{1}$"); if (lettersOnly.IsMatch(volume)) { volume = @"\\.\" + volume + ":"; } indexNo = index; contentArray = MFTRecord.getFile(volume, indexNo); } if (asBytes) { WriteObject(contentArray); } else { string[] outputArray = contentEncoding.GetString(contentArray).Split('\n'); if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail")) { throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter."); } else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount")) { for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++) { WriteObject(outputArray[i]); } } else if (this.MyInvocation.BoundParameters.ContainsKey("Tail")) { for (long i = tail; (i > 0); i--) { if (i > outputArray.Length) { i = outputArray.Length; } WriteObject(outputArray[outputArray.Length - i]); } } else { WriteObject(outputArray); } } } // ProcessRecord