public static EventRecord[] Get(string path) { List<EventRecord> recordList = new List<EventRecord>(); // Get Content of EventLog FileRecord fileRecord = FileRecord.Get(path, true); byte[] bytes = fileRecord.GetContent(); // Get EventLog Header EventLogHeader evtxHeader = new EventLogHeader(bytes); int chunkOffset = 0x1000; // Iterate through chunks for (int i = 0; i < evtxHeader.NumberOfChunks; i++) { // Get Chunk Header ChunkHeader chunkHeader = new ChunkHeader(bytes, chunkOffset); if(chunkHeader.LastEventRecordNumber == -1) { break; } int recordOffset = chunkOffset + 0x200; // Iterate through EventRecords for (long j = chunkHeader.FirstEventRecordNumber; j <= chunkHeader.LastEventRecordNumber; j++) { EventRecord eventRecord = new EventRecord(bytes, chunkOffset, recordOffset, path); recordList.Add(eventRecord); recordOffset += (int)eventRecord.Size; } // Increment Chunk Offset to point to next chunk chunkOffset += 0x10000; } return recordList.ToArray(); }
public static ForensicTimeline[] GetInstances(EventRecord[] input) { List<ForensicTimeline> list = new List<ForensicTimeline>(); foreach (EventRecord er in input) { list.Add(Get(er)); } return list.ToArray(); }
public static ForensicTimeline Get(EventRecord input) { return new ForensicTimeline(input.WriteTime, "MACB", "EVENTLOG", "", input.LogPath, input.ToString()); }