コード例 #1
0
ファイル: Data.cs プロジェクト: l9sk/PowerForensics_Source
        internal Data(byte[] AttrBytes, string attrName)
        {
            ATTR_DATA data = new ATTR_DATA(AttrBytes);

            Name        = Enum.GetName(typeof(ATTR_TYPE), data.header.commonHeader.ATTRType);
            NameString  = attrName;
            NonResident = data.header.commonHeader.NonResident;
            AttributeId = data.header.commonHeader.Id;
            RawData     = data.RawBytes;
        }
コード例 #2
0
        void ParseAttributes(byte[] entry)
        {
            //Program.Log("Debug");
            if (entry.Length == 1024)
            {
                //Program.Log("Debug");
                int   attrFirstType;
                int   firstAttr;
                int   attrFirstLength;
                Int64 residentFirstValues;
                Int64 residentSecondValues;
                try
                {
                    //Program.Log("Debug");
                    DB_Entry dbentry = new DB_Entry();
                    int      lengthleft = 1024;
                    int      fileNameLength = 0;
                    string   fullpath = "";
                    string   filename = "";
                    string   attrname = "";
                    bool     hasSia = false, hasFia = false;
                    byte[]   arrMft = new byte[0x30];
                    //Program.Log("Debug");
                    Array.Copy(entry, 0, arrMft, 0, 0x30);
                    //Program.Log("Debug");
                    MFT mft = ByteArrayToStructure <MFT>(arrMft);
                    //Program.Log("Debug");
                    firstAttr = BitConverter.ToInt16(new byte[] { entry[0x14], entry[0x15] }, 0);
                    if (firstAttr >= entry.Length || firstAttr < 0)
                    {
                        //return;
                    }
                    attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                      entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                    attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                        entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                    residentFirstValues = BitConverter.ToInt64(new byte[] { entry[firstAttr + 8],
                                                                            entry[firstAttr + 9], entry[firstAttr + 10], entry[firstAttr + 11], entry[firstAttr + 12],
                                                                            entry[firstAttr + 13], entry[firstAttr + 14], entry[firstAttr + 15] }, 0);
                    residentSecondValues = BitConverter.ToInt64(new byte[] { entry[firstAttr + 16],
                                                                             entry[firstAttr + 17], entry[firstAttr + 18], entry[firstAttr + 19], entry[firstAttr + 20],
                                                                             entry[firstAttr + 21], entry[firstAttr + 22], entry[firstAttr + 23] }, 0);
                    lengthleft -= firstAttr;
                    while (lengthleft > 0)
                    {
                        byte[] buffer = new byte[0x400];
                        try
                        {
                            if (firstAttr + 24 <= entry.Length && attrFirstLength - 24 <= entry.Length && firstAttr > 0 && attrFirstLength - 24 > 0)
                            {
                                Array.Copy(entry, firstAttr + 24, buffer, 0, attrFirstLength - 24);
                            }
                            else
                            {
                                lengthleft = 0;
                                break;
                            }
                            //Program.Log("Debug");

                            //Program.Log("Debug");
                        }
                        catch (Exception ex)
                        {
                            lengthleft = 0;
                        }
                        switch (attrFirstType)
                        {
                        //SIA
                        case 0x10:
                            //Program.Log("Debug");
                            ATTR_SIA sia = ByteArrayToStructure <ATTR_SIA>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            //Debug.Print(sia.ToString());
                            dbentry.sia = sia;
                            hasSia      = true;
                            break;

                        //ATTR LIST
                        case 0x20:
                            //Program.Log("Debug");
                            ATTR_LIST list        = ByteArrayToStructure <ATTR_LIST>(buffer);
                            byte[]    arrFileName = new byte[list.attrLength];
                            Array.Copy(buffer, 26, arrFileName, 0, arrFileName.Length);
                            attrname = System.Text.UnicodeEncoding.Unicode.GetString(arrFileName);
                            //Debug.Print(attrname);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //FIA
                        case 0x30:
                            //Program.Log("Debug");
                            ATTR_FIA fia = ByteArrayToStructure <ATTR_FIA>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            fileNameLength = fia.filenameLength * 2;
                            byte[] arrFileName2 = new byte[fileNameLength];
                            Array.Copy(buffer, 0x42, arrFileName2, 0, arrFileName2.Length);
                            filename = System.Text.UnicodeEncoding.Unicode.GetString(arrFileName2);
                            //Program.Log("Debug");
                            long temp = (fia.fiaReferenceParentDir << 48);
                            temp = temp >> 48;
                            int mftReferenceToHashTable = (int)temp;

                            if ((string)paths[mftReferenceToHashTable] != null)
                            {
                                fullpath = (string)paths[mftReferenceToHashTable];
                            }
                            fullpath   += "\\" + filename;
                            dbentry.fia = fia;
                            hasFia      = true;
                            if ((fia.flags & FLAGS.Directory) == FLAGS.Directory)
                            {
                                //Program.Log("Debug");
                                if (!paths.Contains(mft.mftRecordNumber))
                                {
                                    paths.Add(mft.mftRecordNumber, fullpath);
                                }
                                break;
                            }
                            else
                            {
                                //Program.Log("Debug");
                                //Debug.Print(fia.ToString());
                                //Debug.Print("filename: " + fullpath);
                                //Debug.Print(mft.ToString());
                                break;
                            }

                        //OBJ ID
                        case 0x40:
                            //Program.Log("Debug");
                            ATTR_OBJID objid = ByteArrayToStructure <ATTR_OBJID>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //SEC DESC
                        case 0x50:
                            //Program.Log("Debug");
                            byte[]       arrSids = new byte[attrFirstLength - 16];
                            ATTR_SECDESC secdesc = ByteArrayToStructure <ATTR_SECDESC>(buffer);
                            Array.Copy(buffer, 16, arrSids, 0, arrSids.Length);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);

                            break;

                        //VOL NAME
                        case 0x60:
                            //Program.Log("Debug");
                            System.Text.UnicodeEncoding enc = new UnicodeEncoding();
                            ATTR_VOLNAME volname            = new ATTR_VOLNAME(enc.GetString(buffer));
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //VOL INFO
                        case 0x70:
                            //Program.Log("Debug");
                            ATTR_VOLINFO volinfo = ByteArrayToStructure <ATTR_VOLINFO>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //DATA
                        case 0x80:
                            //Program.Log("Debug");
                            ATTR_DATA data = new ATTR_DATA();
                            data.data     = buffer;
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //INDX ROOT
                        case 0x90:
                            //Program.Log("Debug");
                            ATTR_INDXROOT indxroot = ByteArrayToStructure <ATTR_INDXROOT>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //INDX ALLOC
                        case 0xA0:
                            //Program.Log("Debug");
                            ATTR_INDXALLOC indxalloc = new ATTR_INDXALLOC();
                            indxalloc.entries = buffer;
                            firstAttr        += attrFirstLength;
                            attrFirstType     = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                                  entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //BITMAP
                        case 0xB0:
                            //Program.Log("Debug");
                            ATTR_BITMAP bitmap = ByteArrayToStructure <ATTR_BITMAP>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //REPARSE
                        case 0xC0:
                            //Program.Log("Debug");
                            ATTR_REPARSE reparse = new ATTR_REPARSE(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //EA INFO
                        case 0xD0:
                            //Program.Log("Debug");
                            ATTR_EAINFO eainfo = ByteArrayToStructure <ATTR_EAINFO>(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        //EA
                        case 0xE0:
                            //Program.Log("Debug");
                            ATTR_EA ea = new ATTR_EA(buffer);
                            firstAttr    += attrFirstLength;
                            attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr],
                                                                              entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0);
                            attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4],
                                                                                entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0);
                            break;

                        default:
                            //Program.Log("Debug");
                            lengthleft = 0;
                            break;
                        }
                        lengthleft -= firstAttr;
                    }
                    if (hasFia != false && hasSia != false)
                    {
                        //Program.Log("Debug");
                        //dbEntries.Add(new Tuple<string, string[]>("nav", new string[] {"NULL", fullpath, filename, DateTime.FromFileTime(dbentry.sia.siaCreate).ToString(),
                        //DateTime.FromFileTime(dbentry.sia.siaAccess).ToString(),DateTime.FromFileTime(dbentry.sia.siaAlter).ToString(),
                        //DateTime.FromFileTime(dbentry.sia.siaMod).ToString(),DateTime.FromFileTime(dbentry.fia.fiaCreate).ToString(),
                        //DateTime.FromFileTime(dbentry.fia.fiaMod).ToString(),DateTime.FromFileTime(dbentry.fia.fiaAccess).ToString(),
                        //DateTime.FromFileTime(dbentry.fia.fiaAlter).ToString(),dbentry.fia.fiaAllocSize.ToString()}));

                        conn.Insert("mft", new string[] { "NULL", fullpath, filename, DateTime.FromFileTime(dbentry.sia.siaCreate).ToString(),
                                                          DateTime.FromFileTime(dbentry.sia.siaAccess).ToString(), DateTime.FromFileTime(dbentry.sia.siaAlter).ToString(),
                                                          DateTime.FromFileTime(dbentry.sia.siaMod).ToString(), DateTime.FromFileTime(dbentry.fia.fiaCreate).ToString(),
                                                          DateTime.FromFileTime(dbentry.fia.fiaMod).ToString(), DateTime.FromFileTime(dbentry.fia.fiaAccess).ToString(),
                                                          DateTime.FromFileTime(dbentry.fia.fiaAlter).ToString(), dbentry.fia.fiaAllocSize.ToString() });
                    }
                }
                catch (Exception ex)
                {
                    //Program.Log("Debug");
                }
            }
            else
            {
                //Program.Log("Debug");
                return;
                //throw new ArgumentOutOfRangeException();
            }
        }