/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByVolume":
if (MyInvocation.BoundParameters.ContainsKey("Usn"))
{
WriteObject(UsnJrnl.Get(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl", usn));
}
else
{
WriteObject(UsnJrnl.GetInstancesByPath(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl"), true);
}
break;
case "ByPath":
if (MyInvocation.BoundParameters.ContainsKey("Usn"))
{
WriteObject(UsnJrnl.Get(path, usn));
}
else
{
WriteObject(UsnJrnl.GetInstancesByPath(path), true);
}
break;
}
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteVerbose("Getting ScheduledJob Instances");
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteVerbose("Getting ShellLink Instances");
WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true);
WriteVerbose("Getting FileRecord Instances");
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteVerbose("Getting UsnJrnl Instances");
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteVerbose("Getting EventRecord Instances");
WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true);
WriteVerbose("Getting DRIVERS Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteVerbose("Getting SAM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteVerbose("Getting SECURITY Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteVerbose("Getting SOFTWARE Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteVerbose("Getting SYSTEM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
protected override void ProcessRecord()
{
if (this.MyInvocation.BoundParameters.ContainsKey("USN"))
{
WriteObject(UsnJrnl.Get(volume, usn));
}
else
{
UsnJrnl[] usn = UsnJrnl.GetInstances(volume);
WriteObject(usn, true);
}
} // ProcessRecord
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByVolume":
WriteObject(UsnJrnl.GetInstances(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl"), true);
break;
case "ByVolumeUsn":
WriteObject(UsnJrnl.Get(volume.Split('\\')[3] + "\\$Extend\\$UsnJrnl", usn));
break;
case "ByPath":
WriteObject(UsnJrnl.GetInstances(path), true);
break;
case "ByPathUsn":
WriteObject(UsnJrnl.Get(path, usn));
break;
}
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}
protected override void ProcessRecord()
{
// Check for valid Volume name
NativeMethods.getVolumeName(ref volume);
// Set up FileStream to read volume
IntPtr hVolume = NativeMethods.getHandle(volume);
FileStream streamToRead = NativeMethods.getFileStream(hVolume);
// Get VolumeBootRecord object for logical addressing
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get the $Max Data attribute (contains UsnJrnl details)
Data Max = UsnJrnl.GetMaxStream(UsnJrnl.GetFileRecord(volume));
if (asBytes)
{
WriteObject(Max.RawData);
}
else
{
WriteObject(new UsnJrnlDetail(Max.RawData));
}
} // ProcessRecord
/// <summary>
///
/// </summary>
/// <param name="input"></param>
/// <returns></returns>
public static ForensicTimeline Get(UsnJrnl input)
{
return(new ForensicTimeline(input.TimeStamp, "MACB", "USNJRNL", "", input.FullName, input.ToString()));
}
public static ForensicTimeline Get(UsnJrnl input)
{
return(new ForensicTimeline(input.TimeStamp, "MACB", "USNJRNL", "", "", input.FileName, (uint)input.RecordNumber, input.ToString()));
}
