/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteVerbose("Getting ScheduledJob Instances");
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteVerbose("Getting ShellLink Instances");
WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true);
WriteVerbose("Getting FileRecord Instances");
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteVerbose("Getting UsnJrnl Instances");
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteVerbose("Getting EventRecord Instances");
WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true);
WriteVerbose("Getting DRIVERS Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteVerbose("Getting SAM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteVerbose("Getting SECURITY Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteVerbose("Getting SOFTWARE Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteVerbose("Getting SYSTEM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (inputobject.TypeNames[0])
{
case "PowerForensics.Artifacts.Amcache":
break;
case "PowerForensics.Artifacts.Prefetch":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as Prefetch), true);
break;
case "PowerForensics.Artifacts.ScheduledJob":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ScheduledJob), true);
break;
case "PowerForensics.Artifacts.ShellLink":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ShellLink), true);
break;
case "PowerForensics.Artifacts.UserAssist":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UserAssist), true);
break;
case "PowerForensics.EventLog.EventRecord":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as EventRecord), true);
break;
case "PowerForensics.Ntfs.FileRecord":
FileRecord r = inputobject.BaseObject as FileRecord;
try
{
WriteObject(ForensicTimeline.Get(r), true);
}
catch
{
}
break;
case "PowerForensics.Ntfs.UsnJrnl":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UsnJrnl), true);
break;
case "PowerForensics.Registry.NamedKey":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as NamedKey), true);
break;
default:
throw new Exception(String.Format("{0} type not supported by ConvertTo-ForensicTimeline", inputobject.TypeNames[0]));
}
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (inputobject.TypeNames[0])
{
case "PowerForensics.Artifacts.Amcache":
break;
case "PowerForensics.Artifacts.Prefetch":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as Prefetch), true);
break;
case "PowerForensics.Artifacts.ScheduledJob":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as ScheduledJob), true);
break;
case "PowerForensics.Artifacts.UserAssist":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UserAssist), true);
break;
case "PowerForensics.Ntfs.FileRecord":
FileRecord r = inputobject.BaseObject as FileRecord;
try
{
WriteObject(ForensicTimeline.Get(r), true);
}
catch
{
}
break;
case "PowerForensics.Ntfs.UsnJrnl":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as UsnJrnl), true);
break;
case "PowerForensics.Registry.NamedKey":
WriteObject(ForensicTimeline.Get(inputobject.BaseObject as NamedKey), true);
break;
default:
Console.WriteLine(inputobject.TypeNames[0]);
break;
}
}
