private static UsnJrnl[] GetInstances(string volume, int recordnumber) { // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(volume); // Get FileRecord for C:\$Extend\$UsnJrnl FileRecord record = FileRecord.Get(volume, recordnumber, true); // Get the $J Data attribute (contains UsnJrnl records) NonResident J = UsnJrnl.GetJStream(record); // Instatiate a List of UsnJrnl entries List <UsnJrnl> usnList = new List <UsnJrnl>(); for (int i = 0; i < J.DataRun.Length; i++) { if (!(J.DataRun[i].Sparse)) { long clusterCount = J.DataRun[i].ClusterLength; byte[] fragmentBytes = Helper.readDrive(volume, (J.DataRun[i].StartCluster * VBR.BytesPerCluster), (clusterCount * VBR.BytesPerCluster)); byte[] clusterBytes = new byte[VBR.BytesPerCluster]; for (int j = 0; j < clusterCount; j++) { Array.Copy(fragmentBytes, (int)(j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length); int offset = 0; do { if (clusterBytes[offset] == 0) { break; } try { UsnJrnl usn = new UsnJrnl(clusterBytes, volume, ref offset); if (usn.Version > USN40Version) { break; } usnList.Add(usn); } catch { break; } } while (offset >= 0 && offset < clusterBytes.Length); } } } // Return usnList as a UsnJrnl[] return(usnList.ToArray()); }
public UsnJrnl GetUsnJrnl() { foreach (Attr attr in this.Attribute) { if (attr.Name == Attr.ATTR_TYPE.STANDARD_INFORMATION) { StandardInformation stdInfo = attr as StandardInformation; return(UsnJrnl.Get(this.VolumePath, stdInfo.UpdateSequenceNumber)); } } throw new Exception("No $STANDARD_INFORMATION Attirbute found"); }
/// <summary> /// /// </summary> /// <returns></returns> public UsnJrnl GetUsnJrnl() { foreach (FileRecordAttribute attr in this.Attribute) { StandardInformation SI = attr as StandardInformation; if (SI != null) { return(UsnJrnl.Get(this.VolumePath, SI.UpdateSequenceNumber)); } } throw new Exception("No $STANDARD_INFORMATION Attirbute found"); }
public UsnJrnl GetUsnJrnl() { foreach (Attr attr in this.Attribute) { StandardInformation SI = attr as StandardInformation; if (SI != null) { return(UsnJrnl.Get(this.VolumePath.Split('\\') + @"\$Extend\$UsnJrnl", SI.UpdateSequenceNumber)); } } throw new Exception("No $STANDARD_INFORMATION Attirbute found"); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static UsnJrnl[] GetTestInstances(string path) { byte[] bytes = FileRecord.GetContentBytes(path, "$J"); string volume = Helper.GetVolumeFromPath(path); VolumeBootRecord VBR = VolumeBootRecord.Get(volume); List <UsnJrnl> usnList = new List <UsnJrnl>(); for (int i = 0; i < bytes.Length; i += VBR.BytesPerCluster) { int clusteroffset = i; do { // Break if there are no more UsnJrnl entries in cluster if (bytes[clusteroffset] == 0) { break; } try { UsnJrnl usn = new UsnJrnl(bytes, volume, ref clusteroffset); if (usn.Version > USN40Version) { break; } usnList.Add(usn); } catch { break; } } while (clusteroffset >= 0 && clusteroffset < bytes.Length); } return(usnList.ToArray()); }
private static UsnJrnl[] GetInstances(string volume, int recordnumber) { // Check for valid Volume name NativeMethods.getVolumeName(ref volume); // Set up FileStream to read volume IntPtr hVolume = NativeMethods.getHandle(volume); FileStream streamToRead = NativeMethods.getFileStream(hVolume); // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); FileRecord record = FileRecord.Get(volume, recordnumber, true); // Get the $J Data attribute (contains UsnJrnl details NonResident J = UsnJrnl.GetJStream(record); List <UsnJrnl> usnList = new List <UsnJrnl>(); for (int i = 0; i < J.DataRun.Length; i++) { if (!(J.DataRun[i].Sparse)) { long clusterCount = J.DataRun[i].ClusterLength; byte[] fragmentBytes = NativeMethods.readDrive(streamToRead, ((ulong)J.DataRun[i].StartCluster * VBR.BytesPerCluster), ((ulong)clusterCount * VBR.BytesPerCluster)); byte[] clusterBytes = new byte[VBR.BytesPerCluster]; for (long j = 0; j < clusterCount; j++) { Array.Copy(fragmentBytes, ((long)j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length); int offset = 0; do { if (clusterBytes[offset] == 0) { break; } try { UsnJrnl usn = new UsnJrnl(clusterBytes, volume, ref offset); if (usn.Version > USN40Version) { break; } usnList.Add(usn); } catch { break; } } while (offset >= 0 && offset < clusterBytes.Length); } } } return(usnList.ToArray()); }
private static UsnJrnl Get(string volume, int recordnumber, ulong usn) { // Check for valid Volume name NativeMethods.getVolumeName(ref volume); // Set up FileStream to read volume IntPtr hVolume = NativeMethods.getHandle(volume); FileStream streamToRead = NativeMethods.getFileStream(hVolume); // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); FileRecord record = FileRecord.Get(volume, recordnumber, true); // Get the $J Data attribute (contains UsnJrnl details NonResident J = UsnJrnl.GetJStream(record); // Determine the length of the initial sparse pages ulong SparseLength = (ulong)J.DataRun[0].ClusterLength * VBR.BytesPerCluster; if (usn > SparseLength) { // Subtract length of sparse data from desired usn offset ulong usnOffset = usn - SparseLength; // Iterate through each data run for (int i = 1; i < J.DataRun.Length; i++) { // Determine length of current DataRun ulong dataRunLength = (ulong)J.DataRun[i].ClusterLength * VBR.BytesPerCluster; // Check if usnOffset resides in current DataRun if (dataRunLength <= usnOffset) { // If not, subtract length of DataRun from usnOffset usnOffset -= dataRunLength; } // If usnOffset resides within DataRun, parse associated UsnJrnl Entry else { // Read DataRun from disk byte[] fragmentBytes = NativeMethods.readDrive(streamToRead, ((ulong)J.DataRun[i].StartCluster * VBR.BytesPerCluster), ((ulong)J.DataRun[i].ClusterLength * VBR.BytesPerCluster)); // Instatiate a byte array that is the size of a single cluster byte[] clusterBytes = new byte[VBR.BytesPerCluster]; // Iterate through the clusters in the DataRun for (long j = 0; j < J.DataRun[i].ClusterLength; j++) { // If usnOffset is not in current cluster, then subtract cluster size from offset and iterate if (VBR.BytesPerCluster <= usnOffset) { usnOffset -= VBR.BytesPerCluster; } // Else if usnOffset is in current cluster else { // Copy current cluster bytes to clusterBytes variable Array.Copy(fragmentBytes, ((long)j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length); // Parse desired UsnJrnl entry from cluster int offset = (int)usnOffset; return(new UsnJrnl(clusterBytes, volume, ref offset)); } } } } return(null); } else { throw new Exception("UsnJrnl entry has has been overwritten"); } }
private static UsnJrnl[] GetInstances(string volume, int recordnumber) { // Check for valid Volume name Util.getVolumeName(ref volume); // Set up FileStream to read volume IntPtr hVolume = Util.getHandle(volume); FileStream streamToRead = Util.getFileStream(hVolume); // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); FileRecord record = FileRecord.Get(volume, recordnumber, true); // Get the $J Data attribute (contains UsnJrnl details NonResident J = UsnJrnl.GetJStream(record); List<UsnJrnl> usnList = new List<UsnJrnl>(); for (int i = 0; i < J.DataRun.Length; i++) { if (!(J.DataRun[i].Sparse)) { long clusterCount = J.DataRun[i].ClusterLength; byte[] fragmentBytes = Util.readDrive(streamToRead, ((ulong)J.DataRun[i].StartCluster * VBR.BytesPerCluster), ((ulong)clusterCount * VBR.BytesPerCluster)); byte[] clusterBytes = new byte[VBR.BytesPerCluster]; for (long j = 0; j < clusterCount; j++) { Array.Copy(fragmentBytes, ((long)j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length); int offset = 0; do { if (clusterBytes[offset] == 0) { break; } try { UsnJrnl usn = new UsnJrnl(clusterBytes, volume, ref offset); if (usn.Version > USN40Version) { break; } usnList.Add(usn); } catch { break; } } while (offset >= 0 && offset < clusterBytes.Length); } } } return usnList.ToArray(); }
public static ForensicTimeline[] GetInstances(UsnJrnl[] input) { List<ForensicTimeline> list = new List<ForensicTimeline>(); foreach (UsnJrnl u in input) { list.Add(Get(u)); } return list.ToArray(); }
public static ForensicTimeline Get(UsnJrnl input) { return new ForensicTimeline(input.TimeStamp, "MACB", "USNJRNL", "", input.FileName, input.ToString()); }
public static UsnJrnl[] GetTestInstances(string path) { byte[] bytes = FileRecord.GetContentBytes(path, "$J"); string volume = Helper.GetVolumeFromPath(path); VolumeBootRecord VBR = VolumeBootRecord.Get(volume); List<UsnJrnl> usnList = new List<UsnJrnl>(); for(int i = 0; i < bytes.Length; i += (int)VBR.BytesPerCluster) { int clusteroffset = i; do { // Break if there are no more UsnJrnl entries in cluster if (bytes[clusteroffset] == 0) { break; } try { UsnJrnl usn = new UsnJrnl(bytes, volume, ref clusteroffset); if (usn.Version > USN40Version) { break; } usnList.Add(usn); } catch { break; } } while (clusteroffset >= 0 && clusteroffset < bytes.Length); } return usnList.ToArray(); }