/// <summary> /// /// </summary> protected override void ProcessRecord() { switch (ParameterSetName) { case "ByVolume": if (MyInvocation.BoundParameters.ContainsKey("Usn")) { WriteObject(UsnJrnl.Get(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl", usn)); } else { WriteObject(UsnJrnl.GetInstancesByPath(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl"), true); } break; case "ByPath": if (MyInvocation.BoundParameters.ContainsKey("Usn")) { WriteObject(UsnJrnl.Get(path, usn)); } else { WriteObject(UsnJrnl.GetInstancesByPath(path), true); } break; } }
/// <summary> /// /// </summary> protected override void ProcessRecord() { //WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true); WriteVerbose("Getting ScheduledJob Instances"); WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true); WriteVerbose("Getting ShellLink Instances"); WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true); WriteVerbose("Getting FileRecord Instances"); WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true); WriteVerbose("Getting UsnJrnl Instances"); WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true); WriteVerbose("Getting EventRecord Instances"); WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true); WriteVerbose("Getting DRIVERS Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true); WriteVerbose("Getting SAM Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true); WriteVerbose("Getting SECURITY Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true); WriteVerbose("Getting SOFTWARE Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true); WriteVerbose("Getting SYSTEM Hive Keys"); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true); }
/// <summary> /// /// </summary> protected override void ProcessRecord() { //WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true); WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true); }
protected override void ProcessRecord() { if (this.MyInvocation.BoundParameters.ContainsKey("USN")) { WriteObject(UsnJrnl.Get(volume, usn)); } else { UsnJrnl[] usn = UsnJrnl.GetInstances(volume); WriteObject(usn, true); } } // ProcessRecord
/// <summary> /// /// </summary> protected override void ProcessRecord() { switch (ParameterSetName) { case "ByVolume": WriteObject(UsnJrnl.GetInstances(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl"), true); break; case "ByVolumeUsn": WriteObject(UsnJrnl.Get(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl", usn)); break; case "ByPath": WriteObject(UsnJrnl.GetInstances(path), true); break; case "ByPathUsn": WriteObject(UsnJrnl.Get(path, usn)); break; } }
/// <summary> /// /// </summary> /// <param name="volume"></param> /// <returns></returns> public static ForensicTimeline[] GetInstances(string volume) { List <ForensicTimeline> list = new List <ForensicTimeline>(); string volLetter = Helper.GetVolumeLetter(volume); // File System list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume))); // Amcache list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume))); // Prefetch list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume))); // ScheduledJob list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume))); // UserAssist list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume))); // ShellLink list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume))); // UsnJnrl list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume))); // EventLog list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume))); // Registry list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM"))); return(list.ToArray()); }
protected override void ProcessRecord() { // Check for valid Volume name NativeMethods.getVolumeName(ref volume); // Set up FileStream to read volume IntPtr hVolume = NativeMethods.getHandle(volume); FileStream streamToRead = NativeMethods.getFileStream(hVolume); // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); // Get the $Max Data attribute (contains UsnJrnl details) Data Max = UsnJrnl.GetMaxStream(UsnJrnl.GetFileRecord(volume)); if (asBytes) { WriteObject(Max.RawData); } else { WriteObject(new UsnJrnlDetail(Max.RawData)); } } // ProcessRecord
/// <summary> /// /// </summary> /// <param name="input"></param> /// <returns></returns> public static ForensicTimeline Get(UsnJrnl input) { return(new ForensicTimeline(input.TimeStamp, "MACB", "USNJRNL", "", input.FullName, input.ToString())); }
public static ForensicTimeline Get(UsnJrnl input) { return(new ForensicTimeline(input.TimeStamp, "MACB", "USNJRNL", "", "", input.FileName, (uint)input.RecordNumber, input.ToString())); }