public static Prefetch[] GetInstances(bool fast) { // Get current volume string volLetter = Directory.GetCurrentDirectory().Split('\\')[0]; // Build Prefetch directory path string prefetchPath = volLetter + @"\\Windows\\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = null; try { fileBytes = File.ReadAllBytes(pfFiles[i]); } catch (ArgumentException) { throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()"); } catch (PathTooLongException) { throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()"); } catch (DirectoryNotFoundException) { throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()"); } catch (IOException) { throw new IOException("IOException thrown by Prefetch.GetInstance()"); } catch (UnauthorizedAccessException) { throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()"); } // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return(pfArray); } else { return(null); } }
public static Prefetch[] GetInstances(string volume) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = volLetter + @"\Windows\Prefetch"; if (Directory.Exists(pfPath)) { var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf"); Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); int i = 0; foreach (IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes()); i++; } } return(pfArray); } else { throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled."); } } }
public static Prefetch[] GetInstances() { // Get current volume string volLetter = Directory.GetCurrentDirectory().Split('\\')[0]; string volume = @"\\.\" + volLetter; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead); // Build Prefetch directory path string prefetchPath = volLetter + @"\\Windows\\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, pfFiles[i]).ToArray(); // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return(pfArray); } else { return(null); } } }
public static Prefetch Get(string volume, FileStream streamToRead, byte[] MFT, string prefetchPath) { // Get bytes for specific Prefetch file byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, prefetchPath).ToArray(); // Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07 if (checkPfMagic(fileBytes)) { // Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP) byte pfVersion = fileBytes[0]; string appName = null; string[] dependencyArray = null; appName = System.Text.Encoding.Unicode.GetString((fileBytes.Skip(0x10).Take(0x3C).ToArray())).TrimEnd('\0'); dependencyArray = getPfDependencies(getPfDependencySection(fileBytes)); Prefetch prefetch = new Prefetch( Enum.GetName(typeof(PREFETCH_VERSION), pfVersion), appName, getPfPathHash(fileBytes), getPfAccessTime(pfVersion, fileBytes), dependencyArray, dependencyArray.Length, getPfPath(appName, dependencyArray), getPfDeviceCount(fileBytes), getPfRunCount(pfVersion, fileBytes) ); return(prefetch); } else { return(null); } }
public static Mactime[] Get(Prefetch pf) { return null; }
public static Prefetch[] GetInstances(string volume, bool fast) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Build Prefetch directory path string prefetchPath = volLetter + @"\\Windows\\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = null; try { fileBytes = File.ReadAllBytes(pfFiles[i]); } catch (ArgumentException) { throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()"); } catch(PathTooLongException) { throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()"); } catch (DirectoryNotFoundException) { throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()"); } catch (IOException) { throw new IOException("IOException thrown by Prefetch.GetInstance()"); } catch (UnauthorizedAccessException) { throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()"); } // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return pfArray; } else { return null; } }
public static Prefetch[] GetInstances(string volume) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = volLetter + @"\Windows\Prefetch"; if (Directory.Exists(pfPath)) { var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf"); Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); int i = 0; foreach(IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes()); i++; } } return pfArray; } else { throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled."); } } }