public static void GetDataAttributes(MFTAttributeHeaderEntries attributeHeader, MFTParameters mftEntryObj, string[] data)
{
try
{
attributeHeader.NonResidentFlag = data.Skip(8).Take(1).ToString() == "00" ? "Resident" : "Non - Resident";
if (attributeHeader.NonResidentFlag == "Resident")
{
attributeHeader.SizeOfContent = int.Parse(string.Join("", data.Skip(16).Take(4).Reverse()), NumberStyles.HexNumber);
attributeHeader.OffsetToContent = int.Parse(string.Join("", data.Skip(20).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Resident_Data = Encoding.ASCII.GetString(Utility.StringToByteArray(string.Join("", data.Skip(attributeHeader.OffsetToContent).Take(attributeHeader.SizeOfContent))));
}
if (attributeHeader.NonResidentFlag == "Non - Resident")
{
mftEntryObj.Starting_Virtual_Cluster_Number = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 16).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Ending_Virtual_Cluster_Number = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 24).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Offset_to_Runlist = int.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 32).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Allocated_Size_of_Content = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 40).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Actual_Size_of_Content = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 48).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Initialised_Size_of_Content = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 56).Take(8).Reverse()), NumberStyles.HexNumber);
}
}
catch (Exception)
{
string title = "Error";
MessageBox.Show("Error while parsing Data attribute", title);
}
}
public static void GetFileNameAttributes(MFTAttributeHeaderEntries attributeHeader, MFTParameters mftEntryObj, string[] data)
{
try
{
attributeHeader.NonResidentFlag = data.Skip(8).Take(1).ToString() == "00" ? "Resident" : "Non - Resident";
attributeHeader.SizeOfContent = int.Parse(string.Join("", data.Skip(16).Take(4).Reverse()), NumberStyles.HexNumber);
attributeHeader.OffsetToContent = int.Parse(string.Join("", data.Skip(20).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Parent_MFT_File_Record = long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent).Take(8).Reverse().Skip(2).Take(6)), NumberStyles.HexNumber);
mftEntryObj.Parent_Sequence_Number = int.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent).Take(8).Reverse().Take(2)), NumberStyles.HexNumber);
mftEntryObj.File_Creation_Time_FN = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 8).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.File_Altered_Time_FN = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 16).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.MFT_Altered_Time_FN = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 24).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.File_Accessed_Time_FN = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 32).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.File_Name_Length_in_Characters = int.Parse(data.Skip(attributeHeader.OffsetToContent + 64).Take(1).First(), NumberStyles.HexNumber);
switch (data.Skip(attributeHeader.OffsetToContent + 65).Take(1).First())
{
case "00": mftEntryObj.Namespace = "POSIX"; break;
case "01": mftEntryObj.Namespace = "Win32"; break;
case "02": mftEntryObj.Namespace = "DOS"; break;
case "03": mftEntryObj.Namespace = "Win32 & DOS"; break;
default: mftEntryObj.Namespace = "unknown"; break;
}
mftEntryObj.File_Name = Encoding.ASCII.GetString(Utility.StringToByteArray(string.Join("", data.Skip(attributeHeader.OffsetToContent + 66).Take(mftEntryObj.File_Name_Length_in_Characters * 2))));
}
catch (Exception)
{
string title = "Error";
MessageBox.Show("Error while parsing FN attribute", title);
}
}
public static DataTable ParseMFT(string path)
{
try
{
string[] hex = Utility.ReadBinaryFile(path);
int entries = hex.Length / 1024;
int loopCount = 1;
int takeLength = 1024;
int skipLength = 0;
List <string[]> mftEntries = new List <string[]>();
//Logic to split data into 1024 byte chunks.
while (loopCount <= entries)
{
mftEntries.Add(hex.Skip(skipLength).Take(takeLength).ToArray());
skipLength = loopCount * 1024;
loopCount++;
}
List <MFTParameters> mftDetails = new List <MFTParameters>();
Parallel.ForEach(mftEntries, (entry) =>
{
MFTParameters mftEntryObj = new MFTParameters();
mftEntryObj.Starting_Signature = Encoding.ASCII.GetString(Utility.StringToByteArray(string.Join("", hex.Take(4))));
mftEntryObj.Offset_to_Fixup_Array = int.Parse(string.Join("", hex.Skip(4).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Number_of_Entries_in_Fixup_Array = int.Parse(string.Join("", hex.Skip(6).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.LogFile_Sequence_Number = long.Parse(string.Join("", hex.Skip(8).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Sequence_Number = int.Parse(string.Join("", hex.Skip(16).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Hard_Link_Count = int.Parse(string.Join("", hex.Skip(18).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Offset_to_First_Attribute = int.Parse(string.Join("", hex.Skip(20).Take(2).Reverse()), NumberStyles.HexNumber);
string attributeFlag = string.Join("", hex.Skip(22).Take(2).Reverse());
switch (attributeFlag)
{
case "0000": mftEntryObj.Attribute_Flags = "Record is a file and deleted"; break;
case "0001": mftEntryObj.Attribute_Flags = "Record is a file and allocated"; break;
case "0002": mftEntryObj.Attribute_Flags = "Record is a directory and deleted"; break;
case "0003": mftEntryObj.Attribute_Flags = "Record is a directory and allocated"; break;
default: mftEntryObj.Attribute_Flags = attributeFlag + " ;Unknown"; break;
}
mftEntryObj.Real_Size_of_MFT_Record = int.Parse(string.Join("", hex.Skip(24).Take(4).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Allocated_Size_of_MFT_Record = int.Parse(string.Join("", hex.Skip(28).Take(4).Reverse()), NumberStyles.HexNumber);
mftEntryObj.File_Reference_to_the_Base_MFT_Record = long.Parse(string.Join("", hex.Skip(32).Take(8).Reverse()), NumberStyles.HexNumber);
mftEntryObj.Next_Attribute_Id = int.Parse(string.Join("", hex.Skip(40).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.MFT_Record_Number = int.Parse(string.Join("", hex.Skip(44).Take(4).Reverse()), NumberStyles.HexNumber);
int attributeCount = 0;
int offsetToAttribute = mftEntryObj.Offset_to_First_Attribute;
while (attributeCount < mftEntryObj.Next_Attribute_Id)
{
MFTAttributeHeaderEntries attributeHeader = new MFTAttributeHeaderEntries();
attributeHeader.AttributeIdentifier = string.Join("", hex.Skip(offsetToAttribute).Take(4));
attributeHeader.AttributeSize = int.Parse(string.Join("", hex.Skip(offsetToAttribute + 4).Take(4).Reverse()), NumberStyles.HexNumber);
switch (attributeHeader.AttributeIdentifier)
{
case "10000000": GetStandardInformationAttributes(attributeHeader, mftEntryObj, hex.Skip(offsetToAttribute).Take(attributeHeader.AttributeSize).ToArray()); break;
case "30000000": GetFileNameAttributes(attributeHeader, mftEntryObj, hex.Skip(offsetToAttribute).Take(attributeHeader.AttributeSize).ToArray()); break;
case "80000000": GetDataAttributes(attributeHeader, mftEntryObj, hex.Skip(offsetToAttribute).Take(attributeHeader.AttributeSize).ToArray()); break;
default: break;
}
offsetToAttribute += attributeHeader.AttributeSize;
attributeCount++;
}
mftDetails.Add(mftEntryObj);
});
DataTable dataTable = Utility.ToDataTable(mftDetails);
return(dataTable);
}
catch (Exception ex)
{
string title = "Error";
MessageBox.Show(ex.Message, title);
return(null);
}
}
public static void GetStandardInformationAttributes(MFTAttributeHeaderEntries attributeHeader, MFTParameters mftEntryObj, string[] data)
{
try
{
attributeHeader.NonResidentFlag = data.Skip(8).Take(1).ToString() == "00" ? "Resident" : "Non - Resident";
attributeHeader.SizeOfContent = int.Parse(string.Join("", data.Skip(16).Take(4).Reverse()), NumberStyles.HexNumber);
attributeHeader.OffsetToContent = int.Parse(string.Join("", data.Skip(20).Take(2).Reverse()), NumberStyles.HexNumber);
mftEntryObj.File_Creation_Time_SI = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.File_Altered_Time_SI = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 8).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.MFT_Altered_Time_SI = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 16).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
mftEntryObj.File_Accessed_Time_SI = DateTime.FromFileTimeUtc(long.Parse(string.Join("", data.Skip(attributeHeader.OffsetToContent + 24).Take(8).Reverse()), NumberStyles.AllowHexSpecifier));
}
catch (Exception)
{
string title = "Error";
MessageBox.Show("Error while parsing SI attribute", title);
}
}
