internal byte[] GetContent(NtfsVolumeBootRecord VBR)
{
foreach (FileRecordAttribute attr in this.Attribute)
{
if (attr.Name == FileRecordAttribute.ATTR_TYPE.DATA)
{
if (attr.NonResident)
{
return((attr as NonResident).GetBytes(VBR));
}
else
{
return((attr as Data).RawData);
}
}
else if (attr.Name == FileRecordAttribute.ATTR_TYPE.ATTRIBUTE_LIST)
{
AttributeList attrlist = attr as AttributeList;
foreach (AttrRef ar in attrlist.AttributeReference)
{
if (ar.Name == "DATA")
{
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, (int)VBR.BytesPerFileRecord, true);
return(record.GetContent());
}
}
}
}
throw new Exception("Could not locate file contents");
}
internal static FileRecord Get(string volume, int index, bool fast)
{
NtfsVolumeBootRecord vbr = VolumeBootRecord.Get(volume) as NtfsVolumeBootRecord;
byte[] bytes = GetRecordBytes(volume, index);
return(Get(bytes, volume, (int)vbr.BytesPerFileRecord, fast));
}
private static FileRecord[] GetInstances(byte[] bytes, string volume, bool fast)
{
NtfsVolumeBootRecord vbr = VolumeBootRecord.Get(volume) as NtfsVolumeBootRecord;
// Determine the size of an MFT File Record
int bytesPerFileRecord = (int)vbr.BytesPerFileRecord;
// Calulate the number of entries in the MFT
int fileCount = bytes.Length / bytesPerFileRecord;
// Instantiate an array of FileRecord objects
FileRecord[] recordArray = new FileRecord[fileCount];
// Apply fixup values across MFT Bytes
ApplyFixup(ref bytes, bytesPerFileRecord);
// Now we need to iterate through all possible index values
for (int index = 0x00; index < fileCount; index++)
{
// Check if current record has been instantiated
if (recordArray[index] == null)
{
// Instantiate FileRecord object
recordArray[index] = new FileRecord(ref recordArray, bytes, index * bytesPerFileRecord, bytesPerFileRecord, volume, fast);
}
}
return(recordArray);
}
private static byte[] GetRecordBytesPrivate(string volume, int index)
{
// Get filestream based on hVolume
using (FileStream streamToRead = Helper.getFileStream(volume))
{
// Get Volume Boot Record
NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord;
// Determine start of MFT
long mftStartOffset = VBR.MftStartIndex * VBR.BytesPerCluster;
// Get FileRecord for $MFT
FileRecord mftRecord = MasterFileTable.GetRecord(streamToRead, volume);
// Get $MFT Data Attribute
NonResident data = null;
foreach (FileRecordAttribute attr in mftRecord.Attribute)
{
if (attr.Name == FileRecordAttribute.ATTR_TYPE.DATA)
{
data = attr as NonResident;
break;
}
}
// Iterate through fragments of the MFT
foreach (DataRun dr in data.DataRun)
{
long DataRunRecords = (dr.ClusterLength * VBR.BytesPerCluster) / VBR.BytesPerFileRecord;
// Check if index can be found in current DataRun
if (index < (int)DataRunRecords)
{
long recordOffset = (dr.StartCluster * VBR.BytesPerCluster) + (index * VBR.BytesPerFileRecord);
byte[] recordBytesRaw = Helper.readDrive(streamToRead, recordOffset, VBR.BytesPerFileRecord);
ApplyFixup(ref recordBytesRaw, (int)VBR.BytesPerFileRecord);
return(recordBytesRaw);
}
// Decrement index for the number of FileRecords in the current DataRun
else
{
index -= ((int)dr.ClusterLength * VBR.BytesPerCluster) / (int)VBR.BytesPerFileRecord;
}
}
throw new Exception("Could not find the FileRecord requested...");
}
}
/// <summary>
///
/// </summary>
/// <param name="streamToRead"></param>
/// <param name="volume"></param>
/// <returns></returns>
internal static FileRecord GetRecord(FileStream streamToRead, string volume)
{
// Instantiate VolumeBootRecord object
NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord;
// Calculate byte offset to the Master File Table (MFT)
long mftOffset = (VBR.BytesPerCluster * VBR.MftStartIndex);
// Read bytes belonging to specified MFT Record
byte[] recordBytes = Helper.readDrive(streamToRead, mftOffset, VBR.BytesPerFileRecord);
// Instantiate a FileRecord object for the $MFT file
return(FileRecord.Get(recordBytes, volume, (int)VBR.BytesPerFileRecord, true));
}
