public static string GetFullPath(Int32 itemId)
{
/*
* from the docs:
*
* XWF_GetItemParent returns the ID of the parent of the specified item,
* or -1 if the item is the root directory.
*/
var sb = new StringBuilder();
while (true)
{
var parentItemId = ImportedMethods.XWFGetItemParent(itemId);
/*
* XWFGetItemName returns text "(Root directory)" for the root directory.
* I don't see any sense in putting such kind of a string into the path,
* so, if (parentItemId < 0) then this is a root directory
* and we don't need it's name to be added.
*/
if (parentItemId < 0)
{
return(sb.ToString());
}
sb.Insert(0, Path.DirectorySeparatorChar
+ ImportedMethods.XWFGetItemName(itemId));
itemId = parentItemId;
}
}
public static Int32 XT_ProcessItemEx(Int32 nItemID, IntPtr hItem, IntPtr lpReserved)
{
ImportedMethods.XWFOutputMessage(string.Format(
"C# Dll: XT_ProcessItemEx called, nItemID = {0}, hItem = {1}"
, nItemID, hItem));
//storing the item name for further use
var itemName = ImportedMethods.XWFGetItemName(nItemID);
ImportedMethods.XWFOutputMessage("XWF_GetItemName: Item name = " + itemName);
ImportedMethods.XWFOutputMessage("Full Path: " + HelperMethods.GetFullPath(nItemID));
ImportedMethods.XWFOutputMessage("XWF_GetComment: " + ImportedMethods.XWFGetComment(nItemID));
string associations;
ImportedMethods.XWFOutputMessage("XWF_GetReportTableAssocs: total number of associations of the file = "
+ ImportedMethods.XWFGetReportTableAssocs(nItemID, out associations));
ImportedMethods.XWFOutputMessage(", associations = " + associations, XWFOutputMessageFlags.NoLineBreak);
//reading & processing file contents
var contents = HelperMethods.ReadItem(hItem);
if (contents == null)
{
ImportedMethods.XWFOutputMessage("Failed to read item contents");
}
else
{
ImportedMethods.XWFOutputMessage("Item contents read successfully.");
//now you can analyze item contents
}
/*
* from the docs:
* Return -1 if you want X-Ways Forensics to stop the current operation
* (e.g. volume snapshot refinement), otherwise 0.
*/
return(0);
}
