public static RunKey[] GetInstances(string volume)
{
List<RunKey> list = new List<RunKey>();
try
{
list.AddRange(Get(Util.GetVolumeLetter(volume) + @"\Windows\system32\config\SOFTWARE"));
}
catch
{
}
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static UserAssist[] GetInstances(string hivePath)
{
List<UserAssist> uaList = new List<UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(vk, bytes));
}
}
}
}
return uaList.ToArray();
}
public static NetworkList[] GetInstances(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
{
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List<NetworkList> nlList = new List<NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return nlList.ToArray();
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
internal static List Factory(byte[] bytes, byte[] subKeyListBytes, string type)
{
if (type == "lf")
{
return new Leaf(subKeyListBytes);
}
else if (type == "lh")
{
return new HashedLeaf(subKeyListBytes);
}
else if (type == "li")
{
return new LeafItem(subKeyListBytes);
}
else if (type == "ri")
{
List ri = new ReferenceItem(subKeyListBytes);
List[] listArray = new List[ri.Count];
for (int i = 0; i < ri.Offset.Length; i++)
{
byte[] sublistBytes = NativeMethods.GetSubArray(bytes, ri.Offset[i], (uint)Math.Abs(BitConverter.ToInt32(bytes, (int)ri.Offset[i])));
string subtype = Encoding.ASCII.GetString(sublistBytes, 0x04, 0x02);
listArray[i] = List.Factory(bytes, sublistBytes, subtype);
}
ushort aggCount = 0;
foreach (List l in listArray)
{
aggCount += l.Count;
}
uint[] aggOffset = new uint[aggCount];
int j = 0;
foreach (List l in listArray)
{
for (int k = 0; (k < l.Count) && (j < aggCount); k++)
{
aggOffset[j] = l.Offset[k];
j++;
}
}
return new ReferenceItem(aggCount, aggOffset);
}
else
{
return null;
}
}
public static RunKey[] Get(string hivePath)
{
List<string> Keys = new List<string>();
string AutoRunLocation = null;
if(RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
AutoRunLocation = @"HKLM\SOFTWARE\";
}
else if(RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
}
else
{
throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
}
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
List<RunKey> runList = new List<RunKey>();
foreach(string key in Keys)
{
try
{
NamedKey run = NamedKey.Get(bytes, hivePath, key);
if (run.NumberOfValues > 0)
{
foreach (ValueKey vk in run.GetValues(bytes))
{
runList.Add(new RunKey(AutoRunLocation + key, vk));
}
}
}
catch
{
}
}
return runList.ToArray();
}
public static OutlookCatalog[] GetInstances(string volume)
{
List<OutlookCatalog> list = new List<OutlookCatalog>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static TrustRecord[] GetInstances(string volume)
{
List<TrustRecord> list = new List<TrustRecord>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static RunMRU[] GetInstances(string volume)
{
Helper.getVolumeName(ref volume);
List<RunMRU> list = new List<RunMRU>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static NetworkList[] GetInstances(string hivePath)
{
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List<NetworkList> nlList = new List<NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return nlList.ToArray();
}
public static OutlookCatalog[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
byte[] hiveBytes = RegistryHelper.GetHiveBytes(hivePath);
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(hiveBytes, hivePath);
List<OutlookCatalog> list = new List<OutlookCatalog>();
NamedKey CatalogKey = null;
if (OfficeVersion == "12.0")
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Catalog");
}
else
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Search\Catalog");
}
if (CatalogKey.NumberOfValues > 0)
{
foreach (ValueKey vk in CatalogKey.GetValues())
{
list.Add(new OutlookCatalog(user, vk));
}
}
return list.ToArray();
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static TrustRecord[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
List<TrustRecord> trList = new List<TrustRecord>();
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(bytes, hivePath);
string[] applications = new string[] { "Word", "Excel", "PowerPoint"};
for(int i = 0; i < applications.Length; i++)
{
try
{
StringBuilder sb = new StringBuilder();
sb.Append(@"Software\Microsoft\Office\").Append(OfficeVersion).Append("\\").Append(applications[i]).Append(@"\Security\Trusted Documents\TrustRecords");
NamedKey nk = NamedKey.Get(bytes, hivePath, sb.ToString());
foreach(ValueKey vk in nk.GetValues(bytes))
{
trList.Add(new TrustRecord(bytes, user, vk));
}
}
catch
{
}
}
return trList.ToArray();
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
internal static string[] GetUserHiveInstances(string volume)
{
List<string> userHiveList = new List<string>();
IndexEntry[] entries = null;
try
{
entries = IndexEntry.GetInstances(Util.GetVolumeLetter(volume) + @"\Users");
}
catch
{
try
{
entries = IndexEntry.GetInstances(Util.GetVolumeLetter(volume) + @"\Documents and Settings");
}
catch
{
throw new Exception("Could not locate User Registry Hives.");
}
}
foreach (IndexEntry e in entries)
{
try
{
userHiveList.Add(IndexEntry.Get(e.FullName + @"\NTUSER.DAT").FullName);
}
catch
{
}
}
return userHiveList.ToArray();
}
public static FileMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
List<FileMRU> fileList = new List<FileMRU>();
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
NamedKey OfficeKey = RegistryHelper.GetOfficeKey(bytes, hivePath);
foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes))
{
if (nk.Name == "Word" || nk.Name == "Excel" || nk.Name == "PowerPoint")
{
foreach (NamedKey k in nk.GetSubKeys(bytes))
{
if (k.Name == "File MRU")
{
foreach (ValueKey vk in k.GetValues(bytes))
{
if (vk.Name != "Max Display")
{
fileList.Add(new FileMRU(user, (string)vk.GetData(bytes)));
}
}
}
}
}
}
return fileList.ToArray();
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static ForensicTimeline[] GetInstances(Amcache[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (Amcache a in input)
{
list.Add(Get(a));
}
return list.ToArray();
}
public static ForensicTimeline[] Get(FileRecord input)
{
List<ForensicTimeline> macs = new List<ForensicTimeline>();
if (input.SequenceNumber != 0)
{
#region DetermineTime
Dictionary<DateTime, ACTIVITY_TYPE> dictionary = new Dictionary<DateTime, ACTIVITY_TYPE>();
// Modified Time
dictionary[input.ModifiedTime] = ACTIVITY_TYPE.m;
// Access Time
if (dictionary.ContainsKey(input.AccessedTime))
{
dictionary[input.AccessedTime] = dictionary[input.AccessedTime] | ACTIVITY_TYPE.a;
}
else
{
dictionary.Add(input.AccessedTime, ACTIVITY_TYPE.a);
}
// MFT Changed Time
if (dictionary.ContainsKey(input.ChangedTime))
{
dictionary[input.ChangedTime] = dictionary[input.ChangedTime] | ACTIVITY_TYPE.c;
}
else
{
dictionary.Add(input.ChangedTime, ACTIVITY_TYPE.c);
}
// Born Time
if (dictionary.ContainsKey(input.BornTime))
{
dictionary[input.BornTime] = dictionary[input.BornTime] | ACTIVITY_TYPE.b;
}
else
{
dictionary.Add(input.BornTime, ACTIVITY_TYPE.b);
}
#endregion DetermineTime
foreach (var time in dictionary)
{
string activity = ToFriendlyString(time.Value);
macs.Add(new ForensicTimeline(time.Key, activity, "MFT", "", input.FullName, input.ToString()));
}
return macs.ToArray();
}
else
{
macs.Add(new ForensicTimeline(new DateTime(1), "MACB", "MFT", "", "", ""));
return macs.ToArray();
}
}
public static ForensicTimeline[] GetInstances(Prefetch[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (Prefetch pf in input)
{
foreach (ForensicTimeline t in Get(pf))
{
list.Add(t);
}
}
return list.ToArray();
}
public static ForensicTimeline[] Get(Prefetch input)
{
List<ForensicTimeline> mactimeList = new List<ForensicTimeline>();
foreach (DateTime time in input.PrefetchAccessTime)
{
mactimeList.Add(new ForensicTimeline(time, "MACB", "PREFETCH", "", input.Path, input.ToString()));
}
return mactimeList.ToArray();
}
public static ForensicTimeline[] Get(ShellLink input)
{
List<ForensicTimeline> macs = new List<ForensicTimeline>();
#region DetermineTime
Dictionary<DateTime, ACTIVITY_TYPE> dictionary = new Dictionary<DateTime, ACTIVITY_TYPE>();
// Creation Time
dictionary[input.CreationTime] = ACTIVITY_TYPE.b;
// Access Time
if (dictionary.ContainsKey(input.AccessTime))
{
dictionary[input.AccessTime] = dictionary[input.AccessTime] | ACTIVITY_TYPE.a;
}
else
{
dictionary.Add(input.AccessTime, ACTIVITY_TYPE.a);
}
// Modified Time
if (dictionary.ContainsKey(input.WriteTime))
{
dictionary[input.WriteTime] = dictionary[input.WriteTime] | ACTIVITY_TYPE.m;
}
else
{
dictionary.Add(input.WriteTime, ACTIVITY_TYPE.m);
}
#endregion DetermineTime
foreach (var time in dictionary)
{
string activity = ToFriendlyString(time.Value);
macs.Add(new ForensicTimeline(time.Key, activity, "ShellLink", "", input.LocalBasePath, input.ToString()));
}
return macs.ToArray();
}
public static ForensicTimeline[] GetInstances(ScheduledJob[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (ScheduledJob s in input)
{
list.Add(Get(s));
}
return list.ToArray();
}
public static UserAssist[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
List<UserAssist> uaList = new List<UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(RegistryHelper.GetUserHiveOwner(hivePath), vk, bytes));
}
}
}
}
return uaList.ToArray();
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
string Key = @"Root\File";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List<Amcache> amcacheList = new List<Amcache>();
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
return amcacheList.ToArray();
}
internal static byte[] Get(byte[] bytes, ValueKey vk)
{
List<byte> contents = new List<byte>();
byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset)));
short offsetCount = BitConverter.ToInt16(dataBytes, 0x06);
uint offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET;
byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset)));
for (short i = 1; i <= offsetCount; i++)
{
uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET;
contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08));
}
byte[] b = contents.ToArray();
return Helper.GetSubArray(b, 0x00, b.Length);
}
public static ForensicTimeline[] GetInstances(NamedKey[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (NamedKey nk in input)
{
list.Add(Get(nk));
}
return list.ToArray();
}
public static ForensicTimeline[] GetInstances(ShellLink[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (ShellLink s in input)
{
foreach (ForensicTimeline t in Get(s))
{
list.Add(t);
}
}
return list.ToArray();
}
public static ForensicTimeline[] GetInstances(EventRecord[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (EventRecord er in input)
{
list.Add(Get(er));
}
return list.ToArray();
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve"))
{
string Key = @"Root\File";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List<Amcache> amcacheList = new List<Amcache>();
foreach (NamedKey key in FileSubKey)
{
if(key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
}
return amcacheList.ToArray();
}
else
{
throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter.");
}
}
private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse)
{
List<NamedKey> keyList = new List<NamedKey>();
foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName))
{
keyList.Add(subkey);
if (subkey.NumberOfSubKeys > 0)
{
keyList.AddRange(GetInstances(bytes, subkey, true));
}
}
return keyList.ToArray();
}
public static ForensicTimeline[] GetInstances(FileRecord[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (FileRecord r in input)
{
foreach (ForensicTimeline t in Get(r))
{
list.Add(t);
}
}
return list.ToArray();
}
private static Shimcache[] Get00000030(byte[] bytes)
{
int offset = BitConverter.ToInt32(bytes, 0x00);
List<Shimcache> shimList = new List<Shimcache>();
while (offset < bytes.Length)
{
if (Encoding.ASCII.GetString(bytes, offset, 0x04) == "10ts")
{
int pathoffset = offset + 0x0E;
int pathlength = BitConverter.ToInt16(bytes, offset + 0x0C);
string path = Encoding.Unicode.GetString(bytes, pathoffset, pathlength);
DateTime lastModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, pathoffset + pathlength));
shimList.Add(new Shimcache(path, lastModifiedTime, 0, new DateTime(0)));
offset += (BitConverter.ToInt32(bytes, offset + 0x08) + 0x0C);
}
else
{
break;
}
}
return shimList.ToArray();
}
public static ForensicTimeline[] GetInstances(UsnJrnl[] input)
{
List<ForensicTimeline> list = new List<ForensicTimeline>();
foreach (UsnJrnl u in input)
{
list.Add(Get(u));
}
return list.ToArray();
}