/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteVerbose("Getting ScheduledJob Instances");
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteVerbose("Getting ShellLink Instances");
WriteObject(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)), true);
WriteVerbose("Getting FileRecord Instances");
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteVerbose("Getting UsnJrnl Instances");
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteVerbose("Getting EventRecord Instances");
WriteObject(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)), true);
WriteVerbose("Getting DRIVERS Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteVerbose("Getting SAM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteVerbose("Getting SECURITY Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteVerbose("Getting SOFTWARE Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteVerbose("Getting SYSTEM Hive Keys");
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve"))
{
string Key = @"Root\File";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <Amcache> amcacheList = new List <Amcache>();
foreach (NamedKey key in FileSubKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
}
return(amcacheList.ToArray());
}
else
{
throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static NetworkList[] GetInstancesByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
string Key = @"Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <NetworkList> nlList = new List <NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return(nlList.ToArray());
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
public static TypedPaths[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedPaths[] paths = new TypedPaths[nk.NumberOfValues];
int i = 0;
foreach (ValueKey vk in nk.GetValues(bytes))
{
paths[i] = new TypedPaths(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
i++;
}
return(paths);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static UserAssist[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
List <UserAssist> uaList = new List <UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(RegistryHelper.GetUserHiveOwner(hivePath), vk, bytes));
}
}
}
}
return(uaList.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RecentDocs[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs";
NamedKey RecentDocsKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
ValueKey MRUListEx = ValueKey.Get(bytes, hivePath, key, "MRUListEx");
byte[] MRUListBytes = (byte[])MRUListEx.GetData(bytes);
RecentDocs[] docs = new RecentDocs[MRUListBytes.Length / 4];
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
if (i == 0)
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0], RecentDocsKey.WriteTime);
}
else
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0]);
}
}
return(docs);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to the -HivePath parameter.");
}
}
public static UserAssist[] GetInstances(string hivePath)
{
List <UserAssist> uaList = new List <UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(vk, bytes));
}
}
}
}
return(uaList.ToArray());
}
public static TypedUrls[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Internet Explorer\TypedUrls";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedUrls[] urls = new TypedUrls[nk.NumberOfValues];
foreach (ValueKey vk in nk.GetValues(bytes))
{
for (int i = 0; i < urls.Length; i++)
{
urls[i] = new TypedUrls(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
}
}
return(urls);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
internal Amcache(NamedKey nk, byte[] bytes)
{
/*
* Console.WriteLine(nk.Name);
* ulong FileReference = ulong.Parse(nk.Name, System.Globalization.NumberStyles.AllowHexSpecifier);
* byte[] filerefbytes = BitConverter.GetBytes(FileReference);
* SequenceNumber = (BitConverter.ToUInt16(filerefbytes, 0x06));
* RecordNumber = (BitConverter.ToUInt64(filerefbytes, 0x00) & 0x0000FFFFFFFFFFFF);
*/
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "0":
ProductName = (string)vk.GetData(bytes);
break;
case "1":
CompanyName = (string)vk.GetData(bytes);
break;
case "6":
FileSize = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "c":
Description = (string)vk.GetData(bytes);
break;
case "f":
CompileTime = Util.FromUnixTime(BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00));
break;
case "11":
ModifiedTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "12":
BornTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "15":
Path = (string)vk.GetData(bytes);
break;
case "17":
ModifiedTime2Utc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "101":
string hash = (string)vk.GetData(bytes);
Hash = hash.TrimStart('0');
break;
default:
break;
}
}
}
private UserDetail(byte[] bytes, NamedKey nk)
{
ValueKey[] values = nk.GetValues(bytes);
foreach (ValueKey vk in values)
{
}
}
public static string[] GetInstances(string hivePath)
{
string Key = @"Software\Microsoft\Internet Explorer";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] keys = NamedKey.GetInstances(bytes, hivePath, Key);
string[] urls = new string[0];
foreach (NamedKey nk in keys)
{
if (nk.Name == "TypedURLs")
{
urls = new string[nk.NumberOfValues];
ValueKey[] vkArray = nk.GetValues(bytes);
for (int i = 0; i < vkArray.Length; i++)
{
urls[i] = Encoding.Unicode.GetString(vkArray[i].GetData(bytes));
}
}
}
return(urls);
}
public override void NowPrimaried(object request)
{
m_keystroke = (NamedKey)request;
m_gameInstance.SendPaintersRequest(new DisableAllOverlays());
ListItemShouldBeEnabled magicSpellEnabledDelegate = s => m_engine.Player.CouldCastSpell((ISpell)s);
m_gameInstance.SendPaintersRequest(new ShowListSelectionWindow(true, m_engine.Player.Spells.OfType<INamedItem>().ToList(), true, "Spellbook", magicSpellEnabledDelegate));
m_gameInstance.UpdatePainters();
}
public TargettingKeystrokeRequest(List<EffectivePoint> targetablePoints, OnTargetSelection selectionDelegate, NamedKey alternateSelectionKey, TargettingKeystrokeHandler.TargettingType targettingType, PlayerTargettingHaloDelegate haloDelegate)
{
TargetablePoints = targetablePoints;
TargettingType = targettingType;
SelectionDelegate = selectionDelegate;
AlternateSelectionKey = alternateSelectionKey;
HaloDelegate = haloDelegate;
}
public override void HandleKeystroke(NamedKey keystroke)
{
if (keystroke.Code != TCODKeyCode.NoKey)
{
m_gameInstance.SendPaintersRequest(new EnableWelcome(false));
m_gameInstance.UpdatePainters();
m_gameInstance.ResetHandlerName();
}
}
internal UserDetail(byte[] bytes, NamedKey nk)
{
ValueKey[] values = nk.GetValues(bytes);
foreach (ValueKey vk in values)
{
switch (vk.Name)
{
}
}
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
//WriteObject(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")), true);
WriteObject(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")), true);
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
if (ParameterSetName == "Path")
{
if (!(MyInvocation.BoundParameters.ContainsKey("Key")))
{
key = null;
}
WriteObject(NamedKey.GetInstances(path, key));
}
}
public static WindowsVersion Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
{
byte[] bytes = Helper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, @"Micosoft\Windows NT\CurrentVersion");
return(new WindowsVersion(nk));
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
public KeystrokeResult HandleKeystroke(NamedKey keystroke)
{
MethodInfo action;
m_keyMappings.TryGetValue(keystroke, out action);
if (action != null)
{
return (KeystrokeResult)action.Invoke(this, null);
}
else
{
return KeystrokeResult.None;
}
}
public override void HandleKeystroke(NamedKey keystroke)
{
MethodInfo action;
m_keyMappings.TryGetValue(keystroke, out action);
if (action != null)
{
action.Invoke(this, null);
}
else if (keystroke.Code == TCODKeyCode.Char)
{
m_gameInstance.SendPaintersRequest(new ListSelectionItemSelectedByChar(keystroke.Character, new ListItemSelected(ItemSelectedDelegate)));
}
}
internal AppCompat(NamedKey nk, byte[] bytes)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "0":
ProductName = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "1":
CompanyName = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "6":
FileSize = BitConverter.ToUInt32(vk.GetData(bytes), 0x00);
break;
case "c":
Description = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "f":
CompileTime = new DateTime(1970, 1, 1).AddSeconds(BitConverter.ToInt32(vk.GetData(bytes), 0x00));
break;
case "11":
ModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "12":
BornTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "15":
Path = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "17":
ModifiedTime2 = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "101":
Hash = Encoding.Unicode.GetString(vk.GetData(bytes)).TrimStart('0');
break;
default:
break;
}
}
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
if (recurse)
{
WriteObject(NamedKey.GetInstancesRecurse(path));
}
else
{
if (!(MyInvocation.BoundParameters.ContainsKey("Key")))
{
key = null;
}
WriteObject(NamedKey.GetInstances(path, key), true);
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RunMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey RunMRUKey = null;
ValueKey MRUList = null;
try
{
RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
try
{
MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
}
catch
{
return(null);
}
RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i <= MRUListBytes.Length - 4; i += 4)
{
string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(RunMRUStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static WordWheelQuery[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
WordWheelQuery[] dataStrings = new WordWheelQuery[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
string SearchString = null;
try
{
SearchString = (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes);
}
catch
{
SearchString = Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
dataStrings[i / 4] = new WordWheelQuery(RegistryHelper.GetUserHiveOwner(hivePath), SearchString);
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static LastVisitedMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
try
{
Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU";
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
LastVisitedMRU[] dataStrings = new LastVisitedMRU[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
dataStrings[i / 4] = new LastVisitedMRU(RegistryHelper.GetUserHiveOwner(hivePath), (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static RunKey[] Get(string hivePath)
{
List <string> Keys = new List <string>();
string AutoRunLocation = null;
if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
AutoRunLocation = @"HKLM\SOFTWARE\";
}
else if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
}
else
{
throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
}
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
List <RunKey> runList = new List <RunKey>();
foreach (string key in Keys)
{
try
{
NamedKey run = NamedKey.Get(bytes, hivePath, key);
if (run.NumberOfValues > 0)
{
foreach (ValueKey vk in run.GetValues(bytes))
{
runList.Add(new RunKey(AutoRunLocation + key, vk));
}
}
}
catch
{
}
}
return(runList.ToArray());
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
string Key = @"Root\File";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <Amcache> amcacheList = new List <Amcache>();
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
return(amcacheList.ToArray());
}
private WindowsVersion(byte[] bytes, NamedKey nk)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "ProductName":
ProductName = (string)vk.GetData(bytes);
break;
case "CurrentMajorVersionNumber":
CurrentMajorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "CurrentMinorVersionNumber":
CurrentMinorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "CurrentVersion":
CurrentVersion = new Version((string)vk.GetData(bytes));
break;
case "InstallTime":
InstallTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "RegisteredOwner":
RegisteredOwner = (string)vk.GetData(bytes);
break;
case "SystemRoot":
SystemRoot = (string)vk.GetData(bytes);
break;
default:
break;
}
}
//ProductName = ;
//CurrentVersion = ;
}
/// <summary>
/// The ProcessRecord method reads the raw contents of the Amcache.hve into memory and parses its
/// values to create/output AppCompat Objects.
/// </summary>
protected override void ProcessRecord()
{
if (!(this.MyInvocation.BoundParameters.ContainsKey("Path")))
{
hivePath = @"C:\Windows\AppCompat\Programs\Amcache.hve";
}
string Key = @"Root\File";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
WriteObject(new AppCompat(nk, bytes));
}
}
} // ProcessRecord
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
WriteObject(new UserAssist(vk, bytes));
}
}
}
}
} // ProcessRecord
public void TestAllFieldsExpression()
{
List <IFieldDefinition> fieldsList = new List <IFieldDefinition>()
{
Mock.Of <IFieldDefinition>(),
Mock.Of <IFieldDefinition>(),
Mock.Of <IFieldDefinition>(),
Mock.Of <IFieldDefinition>(),
};
IEntityKey entityKey = new NamedKey("test");
var moqEntityDefinition = new Mock <IEntityDefinition>();
moqEntityDefinition.SetupGet(definition => definition.FieldDefinitions).Returns(fieldsList);
var moqEntityProvider = new Mock <IEntityDefinitionProvider>();
moqEntityProvider.Setup(provider => provider.GetEntityDefinition(It.IsAny <IEntityKey>()))
.Returns(moqEntityDefinition.Object);
var fetchExpression = EntityFetchExpression.AllFieldsExpression(entityKey);
Assert.AreSame(entityKey, fetchExpression.EntityKey);
CollectionAssert.AreEqual(fieldsList, fetchExpression.Fields(moqEntityProvider.Object));
}
public static NetworkList[] GetInstances(string hivePath)
{
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <NetworkList> nlList = new List <NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return(nlList.ToArray());
}
public static OutlookCatalog[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
byte[] hiveBytes = RegistryHelper.GetHiveBytes(hivePath);
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(hiveBytes, hivePath);
List <OutlookCatalog> list = new List <OutlookCatalog>();
NamedKey CatalogKey = null;
if (OfficeVersion == "12.0")
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Catalog");
}
else
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Search\Catalog");
}
if (CatalogKey.NumberOfValues > 0)
{
foreach (ValueKey vk in CatalogKey.GetValues())
{
list.Add(new OutlookCatalog(user, vk));
}
}
return(list.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
private NetworkList(NamedKey nk, byte[] bytes)
{
WriteTimeUtc = nk.WriteTime;
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "ProfileGuid":
ProfileGuid = (string)vk.GetData(bytes);
break;
case "Description":
Description = (string)vk.GetData(bytes);
break;
case "Source":
Source = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "DnsSuffix":
DnsSuffix = (string)vk.GetData(bytes);
break;
case "FirstNetwork":
FirstNetwork = (string)vk.GetData(bytes);
break;
case "DefaultGatewayMac":
DefaultGatewayMac = (byte[])vk.GetData(bytes);
break;
default:
break;
}
}
}
public TargettingKeystrokeRequest(List<EffectivePoint> targetablePoints, OnTargetSelection selectionDelegate, NamedKey alternateSelectionKey, TargettingKeystrokeHandler.TargettingType targettingType)
: this(targetablePoints, selectionDelegate, alternateSelectionKey, targettingType, null)
{
}