/// <summary>
/// Read the Shim Cache Windows 7/2k8-R2 entry format, return a list of last modifed dates/paths.
/// </summary>
/// <param name="data"></param>
/// <param name="is32Bit"></param>
/// <returns></returns>
private static List <Hit> ReadNt6Entries(byte[] data, bool is32Bit)
{
List <Hit> hits = new List <Hit>();
UInt32 entrySize = is32Bit == true ? Global.NT6_1_ENTRY_SIZE32 : Global.NT6_1_ENTRY_SIZE64;
UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0);
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT6_1; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt6 ce = new CacheEntryNt6(is32Bit);
ce.Update(temp);
string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));
path = path.Replace("\\??\\", string.Empty);
hits.Add(new Hit(Global.CacheType.CacheEntryNt6, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString()));
}
return(hits);
}
/// <summary>
/// Read the Shim Cache Windows 7/2k8-R2 entry format, return a list of last modifed dates/paths.
/// </summary>
/// <param name="data"></param>
/// <param name="is32Bit"></param>
/// <returns></returns>
private static List<Hit> ReadNt6Entries(byte[] data, bool is32Bit)
{
List<Hit> hits = new List<Hit>();
UInt32 entrySize = is32Bit == true ? Global.NT6_1_ENTRY_SIZE32 : Global.NT6_1_ENTRY_SIZE64;
UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0);
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT6_1; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt6 ce = new CacheEntryNt6(is32Bit);
ce.Update(temp);
string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));
path = path.Replace("\\??\\", string.Empty);
hits.Add(new Hit(Global.CacheType.CacheEntryNt6, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString()));
}
return hits;
}
