/// <summary> /// /// </summary> protected override void ProcessRecord() { //WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true); WriteVerbose("Getting ScheduledJob Instances"); WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true); WriteVerbose("Getting ShellLink Instances"); WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true); WriteVerbose("Getting FileRecord Instances"); WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true); WriteVerbose("Getting UsnJrnl Instances"); WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true); WriteVerbose("Getting EventRecord Instances"); WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true); WriteVerbose("Getting DRIVERS Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true); WriteVerbose("Getting SAM Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true); WriteVerbose("Getting SECURITY Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true); WriteVerbose("Getting SOFTWARE Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true); WriteVerbose("Getting SYSTEM Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true); }
/// <summary> /// /// </summary> protected override void ProcessRecord() { //WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true); }
/// <summary> /// /// </summary> protected override void ProcessRecord() { switch (inputobject.TypeNames[0]) { case "PowerForensics.Artifacts.Amcache": break; case "PowerForensics.Artifacts.Prefetch": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as Prefetch), true); break; case "PowerForensics.Artifacts.ScheduledJob": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ScheduledJob), true); break; case "PowerForensics.Artifacts.ShellLink": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ShellLink), true); break; case "PowerForensics.Artifacts.UserAssist": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UserAssist), true); break; case "PowerForensics.EventLog.EventRecord": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as EventRecord), true); break; case "PowerForensics.Ntfs.FileRecord": FileRecord r = inputobject.BaseObject as FileRecord; try { WriteObject(ForensicTimeline.Get(r), true); } catch { } break; case "PowerForensics.Ntfs.UsnJrnl": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UsnJrnl), true); break; case "PowerForensics.Registry.NamedKey": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as NamedKey), true); break; default: throw new Exception(String.Format("{0} type not supported by ConvertTo-ForensicTimeline", inputobject.TypeNames[0])); } }
/// <summary> /// /// </summary> protected override void ProcessRecord() { switch (inputobject.TypeNames[0]) { case "PowerForensics.Artifacts.Amcache": break; case "PowerForensics.Artifacts.Prefetch": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as Prefetch), true); break; case "PowerForensics.Artifacts.ScheduledJob": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ScheduledJob), true); break; case "PowerForensics.Artifacts.UserAssist": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UserAssist), true); break; case "PowerForensics.Ntfs.FileRecord": FileRecord r = inputobject.BaseObject as FileRecord; try { WriteObject(ForensicTimeline.Get(r), true); } catch { } break; case "PowerForensics.Ntfs.UsnJrnl": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UsnJrnl), true); break; case "PowerForensics.Registry.NamedKey": WriteObject(ForensicTimeline.Get(inputobject.BaseObject as NamedKey), true); break; default: Console.WriteLine(inputobject.TypeNames[0]); break; } }