Пример #1
0
        /// <summary>
        /// The ProcessRecord instantiates a NTFSVolumeData objects that
        /// corresponds to the VolumeName that is specified.
        /// </summary>

        protected override void ProcessRecord()
        {
            Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");

            if (lettersOnly.IsMatch(volume))
            {
                volume = @"\\.\" + volume + ":";
            }

            string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';

            WriteDebug("VolumeName: " + volume);

            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
            {
                int index = IndexNumber.Get(volume, filePath);

                if (asbytes)
                {
                    WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index));
                }

                else
                {
                    WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath));
                }
            }

            else if (this.MyInvocation.BoundParameters.ContainsKey("Index"))
            {
                if (asbytes)
                {
                    WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber));
                }

                else
                {
                    WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null));
                }
            }

            else
            {
                MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter);

                foreach (MFTRecord record in records)
                {
                    WriteObject(record);
                }
            }
        } // ProcessRecord
Пример #2
0
        /// <summary>
        /// The ProcessRecord outputs the raw bytes of the specified File
        /// </summary>

        protected override void ProcessRecord()
        {
            string volume    = @"\\.\" + directory.Split('\\')[0];
            string volLetter = directory.Split('\\')[0] + '\\';

            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            string[] files = System.IO.Directory.GetFiles(directory);
            foreach (string file in files)
            {
                WriteObject(MFTRecord.Get(mftBytes, IndexNumber.Get(volume, file), volLetter, file));
            }
        } // ProcessRecord
Пример #3
0
        /// <summary>
        /// The ProcessRecord method calls ManagementClass.GetInstances()
        /// method to iterate through each BindingObject on each system specified.
        /// </summary>
        protected override void ProcessRecord()
        {
            Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");

            if (lettersOnly.IsMatch(volume))
            {
                volume = @"\\.\" + volume + ":";
            }

            IntPtr hVolume = NativeMethods.getHandle(volume);

            FileStream streamToRead = NativeMethods.getFileStream(hVolume);

            VolumeData volData = new VolumeData(hVolume);

            MFTRecord record = MFTRecord.Get(MasterFileTable.GetBytes(volume), 4, null, null);

            List <byte> bytes = new List <byte>();

            foreach (Attr attr in record.Attribute)
            {
                if (attr.Name == "DATA")
                {
                    if (attr.NonResident)
                    {
                        NonResident data = attr as NonResident;
                        for (int i = 0; i < data.StartCluster.Length; i++)
                        {
                            ulong  offset    = data.StartCluster[i] * (ulong)volData.BytesPerCluster;
                            ulong  length    = (data.EndCluster[i] - data.StartCluster[i]) * (ulong)volData.BytesPerCluster;
                            byte[] byteRange = Win32.NativeMethods.readDrive(streamToRead, offset, length);
                            bytes.AddRange(byteRange);
                        }
                    }
                    else
                    {
                        Data data = attr as Data;
                        bytes.AddRange(data.RawData);
                    }
                }
            }

            for (int i = 0; (i < bytes.ToArray().Length) && (bytes.ToArray()[i] != 0); i += 160)
            {
                byte[] attrDefBytes = bytes.Skip(i).Take(160).ToArray();
                WriteObject(new AttrDef(attrDefBytes));
            }

            streamToRead.Close();
        } // ProcessRecord
Пример #4
0
        /// <summary>
        /// The ProcessRecord instantiates a NTFSVolumeData objects that
        /// corresponds to the VolumeName that is specified.
        /// </summary>

        protected override void ProcessRecord()
        {
            NativeMethods.getVolumeName(ref volume);

            string volLetter = volume.TrimStart('\\').TrimStart('.').TrimStart('\\') + '\\';

            byte[] mftBytes = MasterFileTable.GetBytes(volume);

            if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
            {
                int index = IndexNumber.Get(volume, filePath);

                if (asbytes)
                {
                    WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, index));
                }

                else
                {
                    WriteObject(MFTRecord.Get(mftBytes, index, volLetter, filePath));
                }
            }

            else if (this.MyInvocation.BoundParameters.ContainsKey("Index"))
            {
                if (asbytes)
                {
                    WriteObject(MFTRecord.getMFTRecordBytes(mftBytes, indexNumber));
                }

                else
                {
                    WriteObject(MFTRecord.Get(mftBytes, indexNumber, volLetter, null));
                }
            }

            else
            {
                MFTRecord[] records = MFTRecord.GetInstances(mftBytes, volLetter);

                foreach (MFTRecord record in records)
                {
                    WriteObject(record);
                }
            }
        } // ProcessRecord