public LightweightMFTRecord(MFTRecord record)
{
FileName = record.FileName;
IsDirectory = record.IsDirectory;
RecordNumber = record.RecordNum;
ParentRecord = record.ParentDirectory;
}
/// <summary>
/// The ProcessRecord instantiates a NTFSVolumeData objects that
/// corresponds to the VolumeName that is specified.
/// </summary>
protected override void ProcessRecord()
{
Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");
if (lettersOnly.IsMatch(volume))
{
volume = @"\\.\" + volume + ":";
}
string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';
WriteDebug("VolumeName: " + volume);
byte[] mftBytes = MasterFileTable.GetBytes(volume);
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
int index = IndexNumber.Get(volume, filePath);
if (asbytes)
{
WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index));
}
else
{
WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath));
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Index"))
{
if (asbytes)
{
WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber));
}
else
{
WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null));
}
}
else
{
MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter);
foreach (MFTRecord record in records)
{
WriteObject(record);
}
}
} // ProcessRecord
/// <summary>
/// The ProcessRecord outputs the raw bytes of the specified File
/// </summary>
protected override void ProcessRecord()
{
string volume = @"\\.\" + directory.Split('\\')[0];
string volLetter = directory.Split('\\')[0] + '\\';
byte[] mftBytes = MasterFileTable.GetBytes(volume);
string[] files = System.IO.Directory.GetFiles(directory);
foreach (string file in files)
{
WriteObject(MFTRecord.Get(mftBytes, IndexNumber.Get(volume, file), volLetter, file));
}
} // ProcessRecord
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");
if (lettersOnly.IsMatch(volume))
{
volume = @"\\.\" + volume + ":";
}
IntPtr hVolume = NativeMethods.getHandle(volume);
FileStream streamToRead = NativeMethods.getFileStream(hVolume);
VolumeData volData = new VolumeData(hVolume);
MFTRecord record = MFTRecord.Get(MasterFileTable.GetBytes(volume), 4, null, null);
List <byte> bytes = new List <byte>();
foreach (Attr attr in record.Attribute)
{
if (attr.Name == "DATA")
{
if (attr.NonResident)
{
NonResident data = attr as NonResident;
for (int i = 0; i < data.StartCluster.Length; i++)
{
ulong offset = data.StartCluster[i] * (ulong)volData.BytesPerCluster;
ulong length = (data.EndCluster[i] - data.StartCluster[i]) * (ulong)volData.BytesPerCluster;
byte[] byteRange = Win32.NativeMethods.readDrive(streamToRead, offset, length);
bytes.AddRange(byteRange);
}
}
else
{
Data data = attr as Data;
bytes.AddRange(data.RawData);
}
}
}
for (int i = 0; (i < bytes.ToArray().Length) && (bytes.ToArray()[i] != 0); i += 160)
{
byte[] attrDefBytes = bytes.Skip(i).Take(160).ToArray();
WriteObject(new AttrDef(attrDefBytes));
}
streamToRead.Close();
} // ProcessRecord
public static Mactime[] Get(MFTRecord record)
{
#region DetermineTime
Dictionary <DateTime, ACTIVITY_TYPE> dictionary = new Dictionary <DateTime, ACTIVITY_TYPE>();
// Modified Time
dictionary[record.ModifiedTime] = ACTIVITY_TYPE.m;
// Access Time
if (dictionary.ContainsKey(record.AccessedTime))
{
dictionary[record.AccessedTime] = dictionary[record.AccessedTime] | ACTIVITY_TYPE.a;
}
else
{
dictionary.Add(record.AccessedTime, ACTIVITY_TYPE.a);
}
// MFT Changed Time
if (dictionary.ContainsKey(record.ChangedTime))
{
dictionary[record.ChangedTime] = dictionary[record.ChangedTime] | ACTIVITY_TYPE.c;
}
else
{
dictionary.Add(record.ChangedTime, ACTIVITY_TYPE.c);
}
// Born Time
if (dictionary.ContainsKey(record.BornTime))
{
dictionary[record.BornTime] = dictionary[record.BornTime] | ACTIVITY_TYPE.b;
}
else
{
dictionary.Add(record.BornTime, ACTIVITY_TYPE.b);
}
#endregion DetermineTime
List <Mactime> macs = new List <Mactime>();
foreach (var time in dictionary)
{
macs.Add(new Mactime(time.Key, record.Size, (ushort)time.Value, record.RecordNumber, record.FullPath, record.Deleted));
}
return(macs.ToArray());
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
// Determine Volume Name
string volume = @"\\.\" + path.Split('\\')[0];
//
byte[] fileBytes = MFTRecord.getFile(volume, path);
// Open file for writing
FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write);
// Writes a block of bytes to this stream using data from a byte array.
streamToWrite.Write(fileBytes, 0, fileBytes.Length);
// Close file stream
streamToWrite.Close();
} // ProcessRecord
public static Prefetch[] GetInstances()
{
// Get current volume
string volLetter = Directory.GetCurrentDirectory().Split('\\')[0];
string volume = @"\\.\" + volLetter;
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead);
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, pfFiles[i]).ToArray();
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return(pfArray);
}
else
{
return(null);
}
}
}
/// <summary>
/// The ProcessRecord instantiates a NTFSVolumeData objects that
/// corresponds to the VolumeName that is specified.
/// </summary>
protected override void ProcessRecord()
{
NativeMethods.getVolumeName(ref volume);
string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';
byte[] mftBytes = MasterFileTable.GetBytes(volume);
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
int index = IndexNumber.Get(volume, filePath);
if (asbytes)
{
WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index));
}
else
{
WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath));
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Index"))
{
if (asbytes)
{
WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber));
}
else
{
WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null));
}
}
else
{
MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter);
foreach (MFTRecord record in records)
{
WriteObject(record);
}
}
} // ProcessRecord
public static Prefetch Get(string filePath)
{
// Get volume path from filePath
string volume = @"\\.\" + filePath.Split('\\')[0];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead);
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, filePath).ToArray();
// Return a Prefetch object for the Prefetch file stored at filePath
return(new Prefetch(fileBytes));
}
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");
if (lettersOnly.IsMatch(volume))
{
volume = @"\\.\" + volume + ":";
}
WriteDebug("VolumeName: " + volume);
byte[] recordBytes = MFTRecord.getMFTRecordBytes(volume, indexNumber);
if (asbytes)
{
WriteObject(Attr.GetBytes(recordBytes, attribute));
}
else
{
WriteObject(Attr.Get(recordBytes, attribute));
}
} // ProcessRecord
public static Prefetch Get(string volume, FileStream streamToRead, byte[] MFT, string prefetchPath)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, prefetchPath).ToArray();
// Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07
if (checkPfMagic(fileBytes))
{
// Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP)
byte pfVersion = fileBytes[0];
string appName = null;
string[] dependencyArray = null;
appName = System.Text.Encoding.Unicode.GetString((fileBytes.Skip(0x10).Take(0x3C).ToArray())).TrimEnd('\0');
dependencyArray = getPfDependencies(getPfDependencySection(fileBytes));
Prefetch prefetch = new Prefetch(
Enum.GetName(typeof(PREFETCH_VERSION), pfVersion),
appName,
getPfPathHash(fileBytes),
getPfAccessTime(pfVersion, fileBytes),
dependencyArray,
dependencyArray.Length,
getPfPath(appName, dependencyArray),
getPfDeviceCount(fileBytes),
getPfRunCount(pfVersion, fileBytes)
);
return(prefetch);
}
else
{
return(null);
}
}
/// <summary>
/// The ProcessRecord outputs the raw bytes of the specified File
/// </summary>
protected override void ProcessRecord()
{
int indexNo = 0;
byte[] contentArray = null;
#region Encoding
System.Text.Encoding contentEncoding = System.Text.Encoding.Default;
bool asBytes = false;
if (this.MyInvocation.BoundParameters.ContainsKey("Encoding"))
{
if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii)
{
contentEncoding = System.Text.Encoding.ASCII;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode)
{
contentEncoding = System.Text.Encoding.BigEndianUnicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7)
{
contentEncoding = System.Text.Encoding.UTF7;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8)
{
contentEncoding = System.Text.Encoding.UTF8;
}
}
#endregion Encoding
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
string volLetter = filePath.Split('\\')[0];
string volume = @"\\.\" + volLetter;
indexNo = NTFS.IndexNumber.Get(volume, filePath);
contentArray = MFTRecord.getFile(volume, indexNo);
}
else if (this.MyInvocation.BoundParameters.ContainsKey("IndexNumber"))
{
Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");
if (lettersOnly.IsMatch(volume))
{
volume = @"\\.\" + volume + ":";
}
indexNo = index;
contentArray = MFTRecord.getFile(volume, indexNo);
}
if (asBytes)
{
WriteObject(contentArray);
}
else
{
string[] outputArray = contentEncoding.GetString(contentArray).Split('\n');
if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter.");
}
else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount"))
{
for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++)
{
WriteObject(outputArray[i]);
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
for (long i = tail; (i > 0); i--)
{
if (i > outputArray.Length)
{
i = outputArray.Length;
}
WriteObject(outputArray[outputArray.Length - i]);
}
}
else
{
WriteObject(outputArray);
}
}
} // ProcessRecord
