private static void DumpToJson(LnkFile lnk, bool pretty, string outFile)
{
if (pretty)
{
File.WriteAllText(outFile, lnk.Dump());
}
else
{
File.WriteAllText(outFile, lnk.ToJson());
}
}
private static void SaveJson(LnkFile lnk, bool pretty, string outDir)
{
try
{
if (Directory.Exists(outDir) == false)
{
Directory.CreateDirectory(outDir);
}
var outName =
$"{DateTimeOffset.UtcNow.ToString("yyyyMMddHHmmss")}_{Path.GetFileName(lnk.SourceFile)}.json";
var outFile = Path.Combine(outDir, outName);
DumpToJson(lnk, pretty, outFile);
}
catch (Exception ex)
{
_logger.Error($"Error exporting json for '{lnk.SourceFile}'. Error: {ex.Message}");
}
}
private static CsvOut GetCsvFormat(LnkFile lnk)
{
var csOut = new CsvOut
{
SourceFile = lnk.SourceFile,
SourceCreated = lnk.SourceCreated?.ToString(_fluentCommandLineParser.Object.DateTimeFormat) ?? string.Empty,
SourceModified = lnk.SourceModified?.ToString(_fluentCommandLineParser.Object.DateTimeFormat) ?? string.Empty,
SourceAccessed = lnk.SourceAccessed?.ToString(_fluentCommandLineParser.Object.DateTimeFormat) ?? string.Empty,
TargetCreated = lnk.Header.TargetCreationDate.Year == 1601 ? string.Empty:lnk.Header.TargetCreationDate.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
TargetModified = lnk.Header.TargetModificationDate.Year == 1601 ? string.Empty : lnk.Header.TargetModificationDate.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
TargetAccessed = lnk.Header.TargetLastAccessedDate.Year == 1601 ? string.Empty : lnk.Header.TargetLastAccessedDate.ToString(_fluentCommandLineParser.Object.DateTimeFormat),
CommonPath = lnk.CommonPath,
DriveLabel = lnk.VolumeInfo?.VolumeLabel,
DriveSerialNumber = lnk.VolumeInfo?.DriveSerialNumber,
DriveType = lnk.VolumeInfo == null ? "(None)" : GetDescriptionFromEnumValue(lnk.VolumeInfo.DriveType),
FileAttributes = lnk.Header.FileAttributes.ToString(),
FileSize = lnk.Header.FileSize,
HeaderFlags = lnk.Header.DataFlags.ToString(),
LocalPath = lnk.LocalPath,
RelativePath = lnk.RelativePath,
Arguments = lnk.Arguments
};
if (lnk.TargetIDs?.Count > 0)
{
csOut.TargetIDAbsolutePath = GetAbsolutePathFromTargetIDs(lnk.TargetIDs);
}
csOut.WorkingDirectory = lnk.WorkingDirectory;
var ebPresent = string.Empty;
if (lnk.ExtraBlocks.Count > 0)
{
var names = new List<string>();
foreach (var extraDataBase in lnk.ExtraBlocks)
{
names.Add(extraDataBase.GetType().Name);
}
ebPresent = string.Join(", ", names);
}
csOut.ExtraBlocksPresent = ebPresent;
var tnb = lnk.ExtraBlocks.SingleOrDefault(t => t.GetType().Name.ToUpper() == "TRACKERDATABASEBLOCK");
if (tnb != null)
{
var tnbBlock = tnb as TrackerDataBaseBlock;
csOut.TrackerCreatedOn = tnbBlock?.CreationTime.ToString(_fluentCommandLineParser.Object.DateTimeFormat);
csOut.MachineID = tnbBlock?.MachineId;
csOut.MachineMACAddress = tnbBlock?.MacAddress;
csOut.MACVendor = GetVendorFromMac(tnbBlock?.MacAddress);
}
if (lnk.TargetIDs?.Count > 0)
{
var si = lnk.TargetIDs.Last();
if (si.ExtensionBlocks?.Count > 0)
{
var eb = si.ExtensionBlocks.LastOrDefault(t => t is Beef0004);
if (eb is Beef0004)
{
var eb4 = eb as Beef0004;
if (eb4.MFTInformation.MFTEntryNumber != null)
{
csOut.TargetMFTEntryNumber = $"0x{eb4.MFTInformation.MFTEntryNumber.Value.ToString("X")}";
}
if (eb4.MFTInformation.MFTSequenceNumber != null)
{
csOut.TargetMFTSequenceNumber =
$"0x{eb4.MFTInformation.MFTSequenceNumber.Value.ToString("X")}";
}
}
}
}
return csOut;
}