private Prefetch(byte[] bytes)
{
// Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07
if (Encoding.ASCII.GetString(bytes, 0x04, 0x04) == PREFETCH_MAGIC)
{
// Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP)
Version = (PREFETCH_VERSION)bytes[0];
#region PathHash
//// Get Prefetch Path Hash Value ////
// Instantiate byte array
byte[] pfHashBytes = NativeMethods.GetSubArray(bytes, 0x4C, 0x04);
// Reverse Little Endian bytes
Array.Reverse(pfHashBytes);
// Return string representing Prefetch Path Hash
PathHash = BitConverter.ToString(pfHashBytes).Replace("-", "");
#endregion PathHash
#region PrefetchAccessTime
// Get Prefetch Last Accessed Time Array //
// Instantiate a null byte array
byte[] pfAccessTimeBytes = null;
// Instantiate a List of DateTime Objects
List <DateTime> pfAccessTimeList = new List <DateTime>();
// Zero out counter
int counter = 0;
// Check Prefetch version
switch (this.Version)
{
// Windows 8 Version
case PREFETCH_VERSION.WINDOWS_8:
pfAccessTimeBytes = NativeMethods.GetSubArray(bytes, 0x80, 0x40);
counter = 64;
break;
// Windows 7 Version
case PREFETCH_VERSION.WINDOWS_7:
pfAccessTimeBytes = NativeMethods.GetSubArray(bytes, 0x80, 0x08);
counter = 8;
break;
// Windows XP Version
case PREFETCH_VERSION.WINDOWS_XP:
pfAccessTimeBytes = NativeMethods.GetSubArray(bytes, 0x78, 0x08);
counter = 8;
break;
}
for (int i = 0; i < counter; i += 8)
{
long winFileTime = BitConverter.ToInt64(pfAccessTimeBytes, i);
DateTime dt = DateTime.FromFileTimeUtc(winFileTime);
if ((this.Version == PREFETCH_VERSION.WINDOWS_8) && (dt.ToString() == "1/1/1601 12:00:00 AM"))
{
break;
}
pfAccessTimeList.Add(dt);
}
PrefetchAccessTime = pfAccessTimeList.ToArray();
#endregion PrefetchAccessTime
Name = System.Text.Encoding.Unicode.GetString(bytes, 0x10, 0x3C).TrimEnd('\0');
#region DependencyFiles
string dependencyString = Encoding.Unicode.GetString(bytes, BitConverter.ToInt32(bytes, 0x64), BitConverter.ToInt32(bytes, 0x68));
string[] dependencyArraySplit = dependencyString.Split(new string[] { "\\DEVICE\\" }, StringSplitOptions.RemoveEmptyEntries);
string[] dependencyArray = new string[dependencyArraySplit.Length];
for (int i = 0; i < dependencyArraySplit.Length; i++)
{
string dependency = dependencyArraySplit[i].Replace("HARDDISKVOLUME1", "\\DEVICE\\HARDDISKVOLUME1").Replace("\0", string.Empty);
if ((dependency.Contains(Name)) && (!(dependency.Contains(".MUI"))))
{
Path = dependency;
}
dependencyArray[i] = dependency;
}
DependencyFiles = dependencyArray;
#endregion DependencyFiles
DependencyCount = dependencyArray.Length;
DeviceCount = BitConverter.ToInt32(bytes, 0x70);
#region RunCount
switch (this.Version)
{
case PREFETCH_VERSION.WINDOWS_8:
RunCount = BitConverter.ToInt32(bytes, 0xD0);
break;
case PREFETCH_VERSION.WINDOWS_7:
RunCount = BitConverter.ToInt32(bytes, 0x98);
break;
case PREFETCH_VERSION.WINDOWS_XP:
RunCount = BitConverter.ToInt32(bytes, 0x90);
break;
}
#endregion RunCount
}
}
private Prefetch(byte[] bytes)
{
// Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07
if (Encoding.ASCII.GetString(bytes, 0x04, 0x04) == PREFETCH_MAGIC)
{
// Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP)
Version = (PREFETCH_VERSION)bytes[0];
#region PathHash
//// Get Prefetch Path Hash Value ////
// Instantiate byte array
byte[] pfHashBytes = Helper.GetSubArray(bytes, 0x4C, 0x04);
// Reverse Little Endian bytes
Array.Reverse(pfHashBytes);
// Return string representing Prefetch Path Hash
PathHash = BitConverter.ToString(pfHashBytes).Replace("-", "");
#endregion PathHash
#region PrefetchAccessTime
// Get Prefetch Last Accessed Time Array //
// Instantiate a null byte array
byte[] pfAccessTimeBytes = null;
// Instantiate a List of DateTime Objects
List<DateTime> pfAccessTimeList = new List<DateTime>();
// Zero out counter
int counter = 0;
// Check Prefetch version
switch (this.Version)
{
// Windows 8 Version
case PREFETCH_VERSION.WINDOWS_8:
pfAccessTimeBytes = Helper.GetSubArray(bytes, 0x80, 0x40);
counter = 64;
break;
// Windows 7 Version
case PREFETCH_VERSION.WINDOWS_7:
pfAccessTimeBytes = Helper.GetSubArray(bytes, 0x80, 0x08);
counter = 8;
break;
// Windows XP Version
case PREFETCH_VERSION.WINDOWS_XP:
pfAccessTimeBytes = Helper.GetSubArray(bytes, 0x78, 0x08);
counter = 8;
break;
}
for (int i = 0; i < counter; i += 8)
{
long winFileTime = BitConverter.ToInt64(pfAccessTimeBytes, i);
DateTime dt = DateTime.FromFileTimeUtc(winFileTime);
if ((this.Version == PREFETCH_VERSION.WINDOWS_8) && (dt.ToString() == "1/1/1601 12:00:00 AM"))
{
break;
}
pfAccessTimeList.Add(dt);
}
PrefetchAccessTime = pfAccessTimeList.ToArray();
#endregion PrefetchAccessTime
Name = System.Text.Encoding.Unicode.GetString(bytes, 0x10, 0x3C).Split('\0')[0];
#region DependencyFiles
string dependencyString = Encoding.Unicode.GetString(bytes, BitConverter.ToInt32(bytes, 0x64), BitConverter.ToInt32(bytes, 0x68));
string[] dependencyArraySplit = dependencyString.Split(new string[] { "\\DEVICE\\" }, StringSplitOptions.RemoveEmptyEntries);
string[] dependencyArray = new string[dependencyArraySplit.Length];
for (int i = 0; i < dependencyArraySplit.Length; i++)
{
string dependency = dependencyArraySplit[i].Replace("HARDDISKVOLUME1", "\\DEVICE\\HARDDISKVOLUME1").Replace("\0", string.Empty);
if((dependency.Contains(Name)) && (!(dependency.Contains(".MUI"))))
{
Path = dependency;
}
dependencyArray[i] = dependency;
}
DependencyFiles = dependencyArray;
#endregion DependencyFiles
DependencyCount = dependencyArray.Length;
DeviceCount = BitConverter.ToInt32(bytes, 0x70);
#region RunCount
switch (this.Version)
{
case PREFETCH_VERSION.WINDOWS_8:
RunCount = BitConverter.ToInt32(bytes, 0xD0);
break;
case PREFETCH_VERSION.WINDOWS_7:
RunCount = BitConverter.ToInt32(bytes, 0x98);
break;
case PREFETCH_VERSION.WINDOWS_XP:
RunCount = BitConverter.ToInt32(bytes, 0x90);
break;
}
#endregion RunCount
}
}
