/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <param name="recordNumber"></param>
/// <returns></returns>
internal static ScheduledJob Get(string volume, int recordNumber)
{
Helper.getVolumeName(ref volume);
FileRecord record = FileRecord.Get(volume, recordNumber, true);
return(new ScheduledJob(record.GetContent()));
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
// Determine Volume Name
string volume = @"\\.\" + path.Split('\\')[0];
int indexNumber = 0;
if (ParameterSetName == "Path")
{
IndexEntry indexEntry = IndexEntry.Get(path);
indexNumber = (int)indexEntry.RecordNumber;
}
else
{
indexNumber = index;
}
FileRecord record = FileRecord.Get(volume, indexNumber, true);
byte[] fileBytes = record.GetBytes();
// Open file for writing
FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write);
// Writes a block of bytes to this stream using data from a byte array.
streamToWrite.Write(fileBytes, 0, fileBytes.Length);
// Close file stream
streamToWrite.Close();
}
public static JetHeader Get(string path)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetContent();
return(new JetHeader(bytes));
}
public static Page[] GetInstances(string path)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetContent();
return(GetInstances(bytes));
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByIndex":
if (MyInvocation.BoundParameters.ContainsKey("Index"))
{
if (asbytes)
{
WriteObject(FileRecord.GetRecordBytes(volume, indexNumber));
}
else
{
WriteObject(FileRecord.Get(volume, indexNumber, false));
}
}
else
{
WriteObject(FileRecord.GetInstances(volume), true);
}
break;
case "ByPath":
if (asbytes)
{
WriteObject(FileRecord.GetRecordBytes(path));
}
else
{
WriteObject(FileRecord.Get(path, false));
}
break;
/*case "MFTPathByIndex":
* if (asbytes)
* {
* //WriteObject(FileRecord.Get)
* }
* else
* {
*
* }
* break;
* case "MFTPathByPath":
* if (asbytes)
* {
*
* }
* else
* {
*
* }
* break;*/
case "MFTPath":
WriteObject(FileRecord.GetInstancesByPath(mftpath), true);
break;
}
}
public static byte[] GetBytes(string path)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetContent();
// Registry Header
return(Helper.GetSubArray(bytes, 0x00, 0x200));
}
public static byte[] GetBytes(string path)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetBytes();
// Registry Header
return(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
}
/// <summary>
///
/// </summary>
/// <param name="Path"></param>
/// <returns></returns>
public static ApacheAccessLog[] GetInstances(string Path)
{
List <ApacheAccessLog> logList = new List <ApacheAccessLog>();
foreach (string e in (Encoding.ASCII.GetString(FileRecord.Get(Path).GetContent()).Split('\n')))
{
logList.Add(Get(e));
}
return(logList.ToArray());
}
public static Page Get(string path, uint pagenumber)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetContent();
JetHeader header = new JetHeader(bytes);
uint offset = GetPageOffset(pagenumber, header.PageSize);
return(Get(bytes, (int)offset));
}
public static Prefetch Get(string filePath)
{
if (File.Exists(filePath))
{
// Get bytes for specific Prefetch file
byte[] fileBytes = FileRecord.Get(filePath, true).GetBytes();
// Return a Prefetch object for the Prefetch file stored at filePath
return(new Prefetch(fileBytes));
}
else
{
throw new FileNotFoundException((filePath + " does not exist. Please enter a valid file path."));
}
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByPath":
FileRecord record = FileRecord.Get(path, true);
record.CopyFile(destination);
break;
case "ByVolume":
FileRecord rec = FileRecord.Get(volume, index, true);
rec.CopyFile(destination);
break;
}
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
public static FileSystemEntry Get(string path)
{
switch (Helper.GetFileSystemType(Helper.GetVolumeFromPath(path)))
{
case Helper.FILE_SYSTEM_TYPE.EXFAT:
return(null);
case Helper.FILE_SYSTEM_TYPE.FAT:
return(DirectoryEntry.Get(path));
case Helper.FILE_SYSTEM_TYPE.NTFS:
return(FileRecord.Get(path));
default:
return(null);
}
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
if (ParameterSetName == "ByPath")
{
FileRecord record = FileRecord.Get(filePath, false);
if (record.Attribute != null)
{
foreach (Attr attr in record.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
//if (attr.NameString != "")
if (attr.NameString.Length > 0)
{
WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
}
}
}
}
}
else
{
FileRecord[] records = FileRecord.GetInstances(volume);
foreach (FileRecord record in records)
{
if (record.Attribute != null)
{
foreach (Attr attr in record.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
//if (attr.NameString != "")
if (attr.NameString.Length > 0)
{
WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
}
}
}
}
}
}
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Helper.getVolumeName(ref volume);
using (FileStream streamToRead = Helper.getFileStream(volume))
{
NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord;
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch";
/*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
* {*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(FileRecord.Get(volume, (int)entry.RecordNumber, true).GetContent(VBR));
i++;
}
}
return(pfArray);
/*}
* else
* {
* throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
* }*/
}
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
public static EventRecord[] Get(string path)
{
List <EventRecord> recordList = new List <EventRecord>();
// Get Content of EventLog
FileRecord fileRecord = FileRecord.Get(path, true);
byte[] bytes = fileRecord.GetContent();
// Get EventLog Header
EventLogHeader evtxHeader = new EventLogHeader(bytes);
int chunkOffset = 0x1000;
// Iterate through chunks
for (int i = 0; i < evtxHeader.NumberOfChunks; i++)
{
// Get Chunk Header
ChunkHeader chunkHeader = new ChunkHeader(bytes, chunkOffset);
if (chunkHeader.LastEventRecordNumber == -1)
{
break;
}
int recordOffset = chunkOffset + 0x200;
// Iterate through EventRecords
for (long j = chunkHeader.FirstEventRecordNumber; j <= chunkHeader.LastEventRecordNumber; j++)
{
EventRecord eventRecord = new EventRecord(bytes, chunkOffset, recordOffset, path);
recordList.Add(eventRecord);
recordOffset += (int)eventRecord.Size;
}
// Increment Chunk Offset to point to next chunk
chunkOffset += 0x10000;
}
return(recordList.ToArray());
}
public static HiveBinHeader[] GetInstances(string path)
{
FileRecord record = FileRecord.Get(path, true);
byte[] bytes = record.GetContent();
// Registry Header
RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
// Hive Bin Headers
HiveBinHeader[] headerArray = new HiveBinHeader[header.HiveBinsDataSize / 0x1000];
byte[] hbinHeaderBytes = new byte[0x20];
uint i = 0x1000;
while (i < header.HiveBinsDataSize + 0x1000)
{
HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20));
headerArray[((i / 0x1000) - 1)] = hbinHeader;
i += hbinHeader.hBinSize;
}
return(headerArray);
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByIndex":
if (MyInvocation.BoundParameters.ContainsKey("Index"))
{
WriteObject(FileRecord.Get(volume, indexNumber, true).GetSlack());
}
else
{
foreach (FileRecord record in FileRecord.GetInstances(volume))
{
WriteObject(record.GetSlack());
}
}
break;
case "ByPath":
WriteObject(FileRecord.Get(path, true).GetSlack());
break;
}
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
FileRecord record = null;
switch (ParameterSetName)
{
case "ByPath":
record = FileRecord.Get(path, true);
break;
case "ByVolume":
record = FileRecord.Get(volume, index, true);
break;
}
// If user specifies the name of a stream then copy just that stream
// Else check for multiple DATA attributes
// If multiple DATA attributes, then copy them all
// Else copy just the main DATA attribute
record.CopyFile(destination);
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByIndex":
if (MyInvocation.BoundParameters.ContainsKey("Index"))
{
WriteObject(FileRecord.Get(volume, indexNumber, true).GetMftSlack());
}
else
{
WriteObject(MasterFileTable.GetSlack(volume));
}
break;
case "ByPath":
WriteObject(FileRecord.Get(path, true).GetMftSlack());
break;
case "MFTPath":
WriteObject(MasterFileTable.GetSlackByPath(mftpath));
break;
}
}
internal static ScheduledJob Get(string volume, int recordNumber)
{
FileRecord record = FileRecord.Get(volume, recordNumber, true);
return(new ScheduledJob(record.GetBytes()));
}
public static ScheduledJob Get(string path)
{
FileRecord record = FileRecord.Get(path, true);
return(new ScheduledJob(record.GetBytes()));
}
/// <summary>
/// The ProcessRecord outputs the raw bytes of the specified File
/// </summary>
protected override void ProcessRecord()
{
int indexNo = 0;
byte[] contentArray = null;
#region Encoding
System.Text.Encoding contentEncoding = System.Text.Encoding.Default;
bool asBytes = false;
if (this.MyInvocation.BoundParameters.ContainsKey("Encoding"))
{
if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii)
{
contentEncoding = System.Text.Encoding.ASCII;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode)
{
contentEncoding = System.Text.Encoding.BigEndianUnicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7)
{
contentEncoding = System.Text.Encoding.UTF7;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8)
{
contentEncoding = System.Text.Encoding.UTF8;
}
}
#endregion Encoding
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
contentArray = FileRecord.Get(filePath, true).GetContent();
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Index"))
{
Util.getVolumeName(ref volume);
contentArray = FileRecord.Get(volume, index, true).GetContent();
}
if (asBytes)
{
WriteObject(contentArray);
}
else
{
string[] outputArray = contentEncoding.GetString(contentArray).Split('\n');
if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter.");
}
else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount"))
{
for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++)
{
WriteObject(outputArray[i]);
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
for (long i = tail; (i > 0); i--)
{
if (i > outputArray.Length)
{
i = outputArray.Length;
}
WriteObject(outputArray[outputArray.Length - i]);
}
}
else
{
WriteObject(outputArray);
}
}
}
public static ScheduledTask Get(string path)
{
return(Get(FileRecord.Get(path, true).GetContent()));
}
public static ShellLink Get(string filePath)
{
FileRecord record = FileRecord.Get(filePath, true);
return(new ShellLink(record.GetContent(), record));
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
public static JavaCache Get(string path)
{
byte[] bytes = FileRecord.Get(path, true).GetContent();
return(new JavaCache(bytes));
}
public static InternetExplorerHistory[] GetByPath(string path)
{
return(Get(FileRecord.Get(path, true).GetContent()));
}
public static AlternateDataStream[] GetInstancesByPath(string path)
{
FileRecord record = FileRecord.Get(path, false);
return(GetInstances(record));
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
public static byte[] GetHiveBytes(string path)
{
FileRecord record = FileRecord.Get(path, true);
return(record.GetContent());
}