public static ulong GetFileSize(this FileRecord record)
{
if (record.IsDirectory())
{
return(0);
}
var fn = record.Attributes.FirstOrDefault(t => t.AttributeType == AttributeType.FileName);
var datas = record.Attributes.Where(t => t.AttributeType == AttributeType.Data).ToList();
if (datas.Count >= 1)
{
var data = (Data)datas.First();
if (data.IsResident)
{
return((ulong)data.ResidentData.Data.LongLength);
}
return(data.NonResidentData.ActualSize);
}
if (datas.Count != 0)
{
return(0);
}
if (fn != null)
{
var fna = (FileName)fn;
return(fna.FileInfo.LogicalSize);
}
return(0);
}
public static MFTRecordOut GetCsvData(FileRecord fr, FileName fn, AdsInfo adsinfo)
{
var mftr = new MFTRecordOut
{
EntryNumber = fr.EntryNumber,
FileName = fn.FileInfo.FileName,
InUse = fr.IsDeleted() == false,
ParentPath = _mft.GetFullParentPath(fn.FileInfo.ParentMftRecord.GetKey()),
SequenceNumber = fr.SequenceNumber,
IsDirectory = fr.IsDirectory(),
ParentEntryNumber = fn.FileInfo.ParentMftRecord.MftEntryNumber,
ParentSequenceNumber = fn.FileInfo.ParentMftRecord.MftSequenceNumber,
NameType = fn.FileInfo.NameType,
FnAttributeId = fn.AttributeNumber
};
if (mftr.IsDirectory == false)
{
mftr.Extension = Path.GetExtension(mftr.FileName);
var data = fr.Attributes.FirstOrDefault(t => t.AttributeType == AttributeType.Data);
if (data != null)
{
mftr.OtherAttributeId = data.AttributeNumber;
}
}
mftr.FileSize = fr.GetFileSize();
if (adsinfo != null)
{
mftr.FileName = $"{mftr.FileName}:{adsinfo.Name}";
mftr.FileSize = adsinfo.Size;
try
{
mftr.Extension = Path.GetExtension(adsinfo.Name);
}
catch (Exception)
{
//sometimes bad chars show up
}
if (adsinfo.Name == "Zone.Identifier")
{
if (adsinfo.ResidentData != null)
{
mftr.ZoneIdContents = Encoding.GetEncoding(1252).GetString(adsinfo.ResidentData.Data);
}
else
{
mftr.ZoneIdContents = "(Zone.Identifier data is non-resident)";
}
}
}
mftr.ReferenceCount = fr.GetReferenceCount();
mftr.LogfileSequenceNumber = fr.LogSequenceNumber;
var oid = (ObjectId)fr.Attributes.SingleOrDefault(t =>
t.AttributeType == AttributeType.VolumeVersionObjectId);
if (oid != null)
{
mftr.ObjectIdFileDroid = oid.FileDroid.ToString();
}
var lus = (LoggedUtilityStream)fr.Attributes.FirstOrDefault(t =>
t.AttributeType == AttributeType.LoggedUtilityStream);
if (lus != null)
{
mftr.LoggedUtilStream = lus.Name;
}
var rp = fr.GetReparsePoint();
if (rp != null)
{
mftr.ReparseTarget = rp.SubstituteName.Replace(@"\??\", "");
}
var si = (StandardInfo)fr.Attributes.SingleOrDefault(t =>
t.AttributeType == AttributeType.StandardInformation);
if (si != null)
{
mftr.UpdateSequenceNumber = si.UpdateSequenceNumber;
mftr.Created0x10 = si.CreatedOn;
mftr.LastModified0x10 = si.ContentModifiedOn;
mftr.LastRecordChange0x10 = si.RecordModifiedOn;
mftr.LastAccess0x10 = si.LastAccessedOn;
mftr.Copied = si.ContentModifiedOn < si.CreatedOn;
if (_fluentCommandLineParser.Object.AllTimeStampsAllTime || fn.FileInfo.CreatedOn != si.CreatedOn)
{
mftr.Created0x30 = fn.FileInfo.CreatedOn;
}
if (_fluentCommandLineParser.Object.AllTimeStampsAllTime || fn.FileInfo.ContentModifiedOn != si.ContentModifiedOn)
{
mftr.LastModified0x30 = fn.FileInfo.ContentModifiedOn;
}
if (_fluentCommandLineParser.Object.AllTimeStampsAllTime || fn.FileInfo.RecordModifiedOn != si.RecordModifiedOn)
{
mftr.LastRecordChange0x30 = fn.FileInfo.RecordModifiedOn;
}
if (_fluentCommandLineParser.Object.AllTimeStampsAllTime || fn.FileInfo.LastAccessedOn != si.LastAccessedOn)
{
mftr.LastAccess0x30 = fn.FileInfo.LastAccessedOn;
}
mftr.SecurityId = si.SecurityId;
mftr.SiFlags = si.Flags;
if (mftr.Created0x30.HasValue && mftr.Created0x10?.UtcTicks < mftr.Created0x30.Value.UtcTicks)
{
mftr.Timestomped = true;
}
if (mftr.Created0x10?.Millisecond == 0 || mftr.LastModified0x10?.Millisecond == 0)
{
mftr.uSecZeros = true;
}
}
else
{
//no si, so update FN timestamps
mftr.Created0x30 = fn.FileInfo.CreatedOn;
mftr.LastModified0x10 = fn.FileInfo.ContentModifiedOn;
mftr.LastRecordChange0x10 = fn.FileInfo.RecordModifiedOn;
mftr.LastAccess0x10 = fn.FileInfo.LastAccessedOn;
}
return(mftr);
}