internal static byte[] getFile(string volume, int index) { byte[] mftBytes = MasterFileTable.GetBytes(volume); // Get the FileRecord (MFT Record Entry) for the given inode on the specified volume MFTRecord MFTRecord = MFTRecord.Get(mftBytes, index, null, null); if (!(MFTRecord.Directory)) { foreach (Attr attr in MFTRecord.Attribute) { if (attr.Name == "DATA") { if (attr.NonResident == true) { NonResident nonResAttr = (NonResident)attr; return(NonResident.GetContent(volume, nonResAttr).ToArray()); } else { Data dataAttr = (Data)attr; return(dataAttr.RawData); } } } } return(null); }
// I think these belong elsewhere #region getFile internal static List <byte> getFile(string volume, FileStream streamToRead, byte[] MFT, string fileName) { string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\'; int inode = IndexNumber.Get(streamToRead, MFT, fileName); // Get the FileRecord (MFT Record Entry) for the given inode on the specified volume MFTRecord MFTRecord = MFTRecord.Get(MFT, inode, volLetter, fileName); if (!(MFTRecord.Directory)) { foreach (Attr attr in MFTRecord.Attribute) { if (attr.Name == "DATA") { if (attr.NonResident == true) { NonResident nonResAttr = (NonResident)attr; return(NonResident.GetContent(volume, nonResAttr)); } else { Data dataAttr = (Data)attr; return(null); //return dataAttr.RawData; } } } } return(null); }
internal static List <byte> GetContent(FileStream streamToRead, NonResident nonResAttr) { List <byte> DataBytes = new List <byte>(); for (int i = 0; i < nonResAttr.StartCluster.Length; i++) { ulong offset = (nonResAttr.StartCluster[i] * 4096); ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096; DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length)); } DataBytes.Take((int)nonResAttr.RealSize); return(DataBytes); }
internal static byte[] GetContent(FileStream streamToRead, NonResident nonResAttr) { List <byte> DataBytes = new List <byte>(); for (int i = 0; i < nonResAttr.StartCluster.Length; i++) { ulong offset = (nonResAttr.StartCluster[i] * 4096); ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096; DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length)); } byte[] contentBytes = new byte[nonResAttr.RealSize]; Array.Copy(DataBytes.ToArray(), 0, contentBytes, 0, contentBytes.Length); return(contentBytes); }
public static List <byte> GetContent(string volume, NonResident nonResAttr) { List <byte> DataBytes = new List <byte>(); IntPtr hVolume = NativeMethods.getHandle(volume); FileStream streamToRead = NativeMethods.getFileStream(hVolume); for (int i = 0; i < nonResAttr.StartCluster.Length; i++) { ulong offset = nonResAttr.StartCluster[i] * 4096; ulong length = (nonResAttr.EndCluster[i] - nonResAttr.StartCluster[i]) * 4096; DataBytes.AddRange(NativeMethods.readDrive(streamToRead, offset, length)); } DataBytes.Take((int)nonResAttr.RealSize); return(DataBytes); }
public static byte[] getBytes(string volume) { byte[] mftBytes = MasterFileTable.GetBytes(volume); MFTRecord logFileRecord = MFTRecord.Get(mftBytes, 2, null, null); NonResident data = null; foreach (Attr attr in logFileRecord.Attribute) { if (attr.Name == "DATA") { data = attr as NonResident; break; } } return((NonResident.GetContent(volume, data)).ToArray()); }
internal static byte[] getFile(FileStream streamToRead, MFTRecord mftRecord) { if (!(mftRecord.Directory)) { foreach (Attr attr in mftRecord.Attribute) { if (attr.Name == "DATA") { if (attr.NonResident == true) { NonResident nonResAttr = attr as NonResident; return(NonResident.GetContent(streamToRead, nonResAttr)); } else { Data dataAttr = attr as Data; return(dataAttr.RawData); } } } } return(null); }
internal static Attr Get(byte[] Bytes, int offset, out int offsetToATTR) { // This needs to be looked at... if (BitConverter.ToUInt32(Bytes.Skip(offset).Take(4).ToArray(), 0) != 0xD0) { AttrHeader.ATTR_HEADER_COMMON commonAttributeHeader = new AttrHeader.ATTR_HEADER_COMMON(Bytes.Skip(offset).Take(16).ToArray()); // Get byte[] representing the current attribute byte[] AttrBytes = Bytes.Skip(offset).Take((int)commonAttributeHeader.TotalSize).ToArray(); // Get byte[] representing the Attribute Name byte[] NameBytes = AttrBytes.Skip(commonAttributeHeader.NameOffset).Take(commonAttributeHeader.NameLength * 2).ToArray(); // Decode byte[] into Unicode String string AttrName = Encoding.Unicode.GetString(NameBytes); // Update offset value offset += (int)commonAttributeHeader.TotalSize; // Set offset return offsetToATTR = offset; // If attribute is non-resident if (commonAttributeHeader.NonResident) { return(NonResident.Get(AttrBytes, AttrName)); } // If attribute is resident else { #region ATTRSwitch switch (commonAttributeHeader.ATTRType) { case (Int32)Attr.ATTR_TYPE.STANDARD_INFORMATION: return(new StandardInformation(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.FILE_NAME: return(new FileName(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.OBJECT_ID: return(new ObjectId(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.VOLUME_NAME: return(new VolumeName(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.VOLUME_INFORMATION: return(new VolumeInformation(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.DATA: return(new Data(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.INDEX_ROOT: //IndexRoot indxRootAttr = IndexRoot.Get(AttrBytes, commonAttributeHeader, AttrHeaderResident, AttrName); break; case (Int32)Attr.ATTR_TYPE.EA_INFORMATION: return(new EAInformation(AttrBytes, AttrName)); case (Int32)Attr.ATTR_TYPE.EA: // //Console.WriteLine("Attr: EA {0}", commonAttributeHeader.Id); break; default: break; } #endregion ATTRSwitch } return(null); } else { offsetToATTR = 1025; return(null); } }
internal static List<IndexEntry> Get(FileStream streamToRead, byte[] MFT, int index) { MFTRecord fileRecord = MFTRecord.Get(MFT, index, null, null); NonResident INDX = null; Console.WriteLine("Count: {0}", fileRecord.Attribute.Length); foreach (Attr attr in fileRecord.Attribute) { if (attr.Name == "INDEX_ALLOCATION") { if (attr.NonResident) { INDX = (NonResident)attr; } } } byte[] nonResBytes = NonResident.GetContent(streamToRead, INDX); List<IndexEntry> indxEntryList = new List<IndexEntry>(); for (int offset = 0; offset < nonResBytes.Length; offset += 4096) { byte[] indxBytes = nonResBytes.Skip(offset).Take(4096).ToArray(); INDEX_BLOCK indxBlock = new INDEX_BLOCK(indxBytes.Take(40).ToArray()); byte[] IndexAllocEntryBytes = indxBytes.Skip(64).ToArray(); int offsetIndx = 0; int offsetIndxPrev = 1; while ((offsetIndx < IndexAllocEntryBytes.Length) && (offsetIndx != offsetIndxPrev)) { INDEX_ENTRY indxEntryStruct = new INDEX_ENTRY(IndexAllocEntryBytes.Skip(offsetIndx).ToArray()); offsetIndxPrev = offsetIndx; offsetIndx += indxEntryStruct.Size; if (indxEntryStruct.Stream.Length > 66) { FileName.ATTR_FILE_NAME fileNameStruct = new FileName.ATTR_FILE_NAME(indxEntryStruct.Stream); #region indxFlags StringBuilder indxFlags = new StringBuilder(); if (indxEntryStruct.Flags != 0) { if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.SUBNODE) == (int)INDEX_ENTRY_FLAG.SUBNODE) { indxFlags.Append("Subnode, "); } if ((indxEntryStruct.Flags & (int)INDEX_ENTRY_FLAG.LAST) == (int)INDEX_ENTRY_FLAG.LAST) { indxFlags.Append("Last Entry, "); } indxFlags.Length -= 2; } #endregion indxFlags string Name = System.Text.Encoding.Unicode.GetString(fileNameStruct.Name); IndexEntry indxEntry = new IndexEntry(indxEntryStruct, indxFlags.ToString(), Name); indxEntryList.Add(indxEntry); } } } return indxEntryList; }