public ForensicApi() { jns = new UsnJournal.Win32Api.USN_JOURNAL_DATA(); }
// This method that will be called when the thread is started public void UsnHandler() { try { frefQueue = new Queue <UInt64>(); finfo = new ConcurrentDictionary <UInt64, FileInfo>(); jns = new UsnJournal.Win32Api.USN_JOURNAL_DATA(); DriveInfo[] allDrives = DriveInfo.GetDrives(); UsnJournal.NtfsUsnJournal nsf = new UsnJournal.NtfsUsnJournal(allDrives[0]); String volumename = nsf.VolumeName; UInt64 MaximumSize = 0x800000; UInt64 AllocationDelta = 0x100000; while (true) { if (terminate == true) { break; } if (jsint == false) { if (nsf.GetUsnJournalState(ref jns) == UsnJournal.NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { jsint = true; } } if (jsint == true) { List <UsnJournal.Win32Api.UsnEntry> ue = new List <UsnJournal.Win32Api.UsnEntry>(); UInt32 reason = (uint)(UsnJournal.NtfsUsnJournal.UsnReasonCode.USN_REASON_CLOSE); nsf.GetUsnJournalEntries(jns, (uint)reason, out ue, out jns); foreach (UsnJournal.Win32Api.UsnEntry el in ue) { if (frefQueue.Contains(el.FileReferenceNumber) == false) { frefQueue.Enqueue(el.FileReferenceNumber); uint filesize = 0; string filename = string.Empty; string fullfilename = string.Empty; nsf.GetPathFromFileReference(el.FileReferenceNumber, out filename); if (filename != null && filename.Length > 1 && (filename[0] == '\\' || filename[0] == '/')) { fullfilename = volumename + filename.Substring(1); } else { fullfilename = volumename + filename; } nsf.GetSizeFromFileReference(el.FileReferenceNumber, out filesize); FileInfo fi = new FileInfo(); fi.filepath = fullfilename; fi.filesizelow = filesize; finfo.TryAdd(el.FileReferenceNumber, fi); // Console.WriteLine(fullfilename + " : " + filesize + " : " + el.FileReferenceNumber.ToString()); if (frefQueue.Count > ConstantVariables.MAX_USN_QUEUE) { UInt64 lkey = frefQueue.Dequeue(); FileInfo fn; finfo.TryRemove(lkey, out fn); } } } } for (int i = 0; i < 5; i++) { Thread.Sleep(1000); if (terminate == true) { break; } } } } catch (Exception ex) { } }