internal static FileRecord GetFileRecord(string volume) { Helper.getVolumeName(ref volume); return(FileRecord.Get(volume, MftIndex.BADCLUS_INDEX, true)); }
internal static byte[] GetBytes(FileStream streamToRead, string volume) { FileRecord mftRecord = GetRecord(streamToRead, volume); return(mftRecord.GetContent()); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <param name="streamName"></param> /// <returns></returns> public static byte[] GetContentBytes(string path, string streamName) { FileRecord record = Get(path, true); return(record.GetContent(streamName)); }
/// <summary> /// /// </summary> /// <returns></returns> public byte[] GetMftSlack() { byte[] bytes = FileRecord.GetRecordBytes(this.VolumePath, (int)this.RecordNumber); return(Helper.GetSubArray(bytes, this.RealSize - 1, this.AllocatedSize - this.RealSize)); }
private FileRecord(byte[] recordBytes, string volume, int bytesPerFileRecord, bool fast) { if (Encoding.ASCII.GetString(recordBytes, 0x00, 0x04) == "FILE") { VolumePath = volume; OffsetOfUS = BitConverter.ToUInt16(recordBytes, 0x04); SizeOfUS = BitConverter.ToUInt16(recordBytes, 0x06); LogFileSequenceNumber = BitConverter.ToUInt64(recordBytes, 0x08); SequenceNumber = BitConverter.ToUInt16(recordBytes, 0x10); Hardlinks = BitConverter.ToUInt16(recordBytes, 0x12); OffsetOfAttribute = BitConverter.ToUInt16(recordBytes, 0x14); Flags = (FILE_RECORD_FLAG)BitConverter.ToUInt16(recordBytes, 0x16); Deleted = isDeleted(Flags); Directory = isDirectory(Flags); RealSize = BitConverter.ToInt32(recordBytes, 0x18); AllocatedSize = BitConverter.ToInt32(recordBytes, 0x1C); ReferenceToBase = BitConverter.ToUInt64(recordBytes, 0x20); NextAttrId = BitConverter.ToUInt16(recordBytes, 40); RecordNumber = BitConverter.ToUInt32(recordBytes, 44); Attribute = FileRecordAttribute.GetInstances(recordBytes, OffsetOfAttribute, bytesPerFileRecord, volume); #region AttributeProperties foreach (FileRecordAttribute attr in Attribute) { if (attr.Name == FileRecordAttribute.ATTR_TYPE.STANDARD_INFORMATION) { StandardInformation stdInfo = attr as StandardInformation; ModifiedTime = stdInfo.ModifiedTime; AccessedTime = stdInfo.AccessedTime; ChangedTime = stdInfo.ChangedTime; BornTime = stdInfo.BornTime; Permission = stdInfo.Permission; } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.ATTRIBUTE_LIST) { if (!(Deleted)) { AttributeList attrList = null; List <FileRecordAttribute> list = new List <FileRecordAttribute>(); list.AddRange(Attribute); if (attr.NonResident) { attrList = new AttributeList(attr as NonResident); } else { attrList = attr as AttributeList; } foreach (AttrRef attribute in attrList.AttributeReference) { if (attribute.RecordNumber != RecordNumber) { FileRecord record = FileRecord.Get(volume, (int)attribute.RecordNumber); list.AddRange(record.Attribute); list.Remove(attr); } } Attribute = list.ToArray(); } } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.FILE_NAME) { FileName fN = attr as FileName; if (!(fN.Namespace == 2)) { Name = fN.Filename; ParentSequenceNumber = fN.ParentSequenceNumber; ParentRecordNumber = fN.ParentRecordNumber; FNModifiedTime = fN.ModifiedTime; FNAccessedTime = fN.AccessedTime; FNChangedTime = fN.ChangedTime; FNBornTime = fN.BornTime; } } } #endregion AttributeProperties #region FullName if (fast) { FullName = Name; } else { StringBuilder sb = new StringBuilder(); string volLetter = Helper.GetVolumeLetter(volume); if (RecordNumber == 0) { sb.Append(volLetter); sb.Append('\\'); sb.Append(Name); FullName = sb.ToString(); } else if (RecordNumber == 5) { FullName = volLetter; } else { FileRecord parent = new FileRecord(GetRecordBytes(volume, (int)ParentRecordNumber), volume, bytesPerFileRecord, false); if (parent.SequenceNumber == this.ParentSequenceNumber) { sb.Append(parent.FullName); } else { sb.Append(@"$OrphanFiles"); } if (Name != null) { sb.Append('\\'); FullName = sb.Append(Name).ToString(); } else { FullName = sb.ToString(); } } } #endregion FullName } }
private FileRecord(ref FileRecord[] recordArray, byte[] bytes, int offset, int bytesPerFileRecord, string volume, bool fast) { if (Encoding.ASCII.GetString(bytes, 0x00 + offset, 0x04) == "FILE") { OffsetOfUS = BitConverter.ToUInt16(bytes, 0x04 + offset); SizeOfUS = BitConverter.ToUInt16(bytes, 0x06 + offset); LogFileSequenceNumber = BitConverter.ToUInt64(bytes, 0x08 + offset); SequenceNumber = BitConverter.ToUInt16(bytes, 0x10 + offset); Hardlinks = BitConverter.ToUInt16(bytes, 0x12 + offset); OffsetOfAttribute = BitConverter.ToUInt16(bytes, 0x14 + offset); Flags = (FILE_RECORD_FLAG)BitConverter.ToUInt16(bytes, 0x16 + offset); Deleted = isDeleted(Flags); Directory = isDirectory(Flags); RealSize = BitConverter.ToInt32(bytes, 0x18 + offset); AllocatedSize = BitConverter.ToInt32(bytes, 0x1C + offset); ReferenceToBase = BitConverter.ToUInt64(bytes, 0x20 + offset); NextAttrId = BitConverter.ToUInt16(bytes, 0x28 + offset); RecordNumber = BitConverter.ToUInt32(bytes, 0x2C + offset); Attribute = FileRecordAttribute.GetInstances(bytes, OffsetOfAttribute + offset, bytesPerFileRecord, volume); #region AttributeProperties foreach (FileRecordAttribute attr in Attribute) { if (attr.Name == FileRecordAttribute.ATTR_TYPE.STANDARD_INFORMATION) { StandardInformation stdInfo = attr as StandardInformation; ModifiedTime = stdInfo.ModifiedTime; AccessedTime = stdInfo.AccessedTime; ChangedTime = stdInfo.ChangedTime; BornTime = stdInfo.BornTime; Permission = stdInfo.Permission; } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.ATTRIBUTE_LIST) { if (!(Deleted)) { AttributeList attrList = null; List <FileRecordAttribute> list = new List <FileRecordAttribute>(); list.AddRange(Attribute); if (attr.NonResident) { attrList = new AttributeList(attr as NonResident); } else { attrList = attr as AttributeList; } foreach (AttrRef attribute in attrList.AttributeReference) { if (attribute.RecordNumber != RecordNumber) { FileRecord record = null; // Test if we have already parse the record if (recordArray[attribute.RecordNumber] != null) { record = recordArray[attribute.RecordNumber]; } else { // If not parse it and add it to the array record = new FileRecord(ref recordArray, bytes, bytesPerFileRecord * (int)attribute.RecordNumber, bytesPerFileRecord, volume, fast); recordArray[attribute.RecordNumber] = record; } // Add the attributes to the attribute array list.AddRange(record.Attribute); list.Remove(attr); } } Attribute = list.ToArray(); } } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.FILE_NAME) { FileName fN = attr as FileName; if (!(fN.Namespace == 2)) { Name = fN.Filename; ParentSequenceNumber = fN.ParentSequenceNumber; ParentRecordNumber = fN.ParentRecordNumber; FNModifiedTime = fN.ModifiedTime; FNAccessedTime = fN.AccessedTime; FNChangedTime = fN.ChangedTime; FNBornTime = fN.BornTime; } } } #endregion AttributeProperties #region FullName if (fast) { FullName = Name; } else { StringBuilder sb = new StringBuilder(); string volLetter = Helper.GetVolumeLetter(volume); if (RecordNumber == 0) { sb.Append(volLetter); sb.Append('\\'); sb.Append(Name); FullName = sb.ToString(); } else if (RecordNumber == 5) { FullName = volLetter; } else { FileRecord parent = null; if (recordArray[this.ParentRecordNumber] != null) { parent = recordArray[this.ParentRecordNumber]; } else { parent = new FileRecord(ref recordArray, bytes, bytesPerFileRecord * (int)this.ParentRecordNumber, bytesPerFileRecord, volume, fast); recordArray[this.ParentRecordNumber] = parent; } if (parent.SequenceNumber == this.ParentSequenceNumber) { sb.Append(parent.FullName); } else { sb.Append(@"$OrphanFiles"); } if (Name != null) { sb.Append('\\'); FullName = sb.Append(Name).ToString(); } else { FullName = sb.ToString(); } } } #endregion FullName } }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static IndexEntry Get(string path) { string[] paths = path.TrimEnd('\\').Split('\\'); // Determine Volume Name string volume = Helper.GetVolumeFromPath(path); // Test volume path Helper.getVolumeName(ref volume); int index = -1; List <IndexEntry> indexEntryList = new List <IndexEntry>(); for (int i = 0; i < paths.Length; i++) { if (index == -1) { index = 5; } else { bool match = false; foreach (IndexEntry entry in indexEntryList) { if (entry.Entry.Filename.ToUpper() == paths[i].ToUpper()) { index = (int)entry.RecordNumber; match = true; } } if (!(match)) { throw new Exception("Path " + path + " not found."); } } FileRecord record = FileRecord.Get(volume, index, false); indexEntryList.Clear(); if (i < paths.Length - 1) { foreach (FileRecordAttribute attr in record.Attribute) { if (attr.Name == FileRecordAttribute.ATTR_TYPE.INDEX_ROOT) { foreach (IndexEntry entry in (attr as IndexRoot).Entries) { if (entry.Entry.Namespace != 0x02) { indexEntryList.Add(entry); } } } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.INDEX_ALLOCATION) { // Get INDEX_ALLOCATION bytes IndexAllocation IA = new IndexAllocation(attr as NonResident, volume); foreach (IndexEntry entry in IA.Entries) { if (entry.Entry.Namespace != 0x02) { indexEntryList.Add(entry); } } } } } else { return(new IndexEntry(record)); } } throw new Exception("The IndexEntry object for the specified path could not be found."); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static AttrDef[] GetInstancesByPath(string path) { FileRecord record = FileRecord.Get(path, true); return(AttrDef.GetInstances(record.GetContent())); }
private IndexEntry(FileRecord record) { RecordNumber = record.RecordNumber; Filename = record.Name; FullName = record.FullName; }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static IndexEntry[] GetInstances(string path) { string[] paths = path.TrimEnd('\\').Split('\\'); // Determine Volume Name string volume = Helper.GetVolumeFromPath(path); // Test volume path Helper.getVolumeName(ref volume); int index = -1; List <IndexEntry> indexEntryList = new List <IndexEntry>(); for (int i = 0; i < paths.Length; i++) { if (index == -1) { index = 5; } else { bool match = false; foreach (IndexEntry entry in indexEntryList) { if (entry.Entry.Filename.ToUpper() == paths[i].ToUpper()) { index = (int)entry.RecordNumber; match = true; } } if (!(match)) { throw new Exception("Path " + path + " not found."); } } FileRecord record = FileRecord.Get(volume, index, true); indexEntryList.Clear(); if (record.Directory) { foreach (FileRecordAttribute attr in record.Attribute) { if (attr.Name == FileRecordAttribute.ATTR_TYPE.INDEX_ROOT) { try { foreach (IndexEntry entry in (attr as IndexRoot).Entries) { if (entry.Entry.Namespace != 0x02) { StringBuilder sb = new StringBuilder(); sb.Append(path.TrimEnd('\\')); sb.Append("\\"); sb.Append(entry.Filename); entry.FullName = sb.ToString(); indexEntryList.Add(entry); } } } catch { return(null); } } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.INDEX_ALLOCATION) { // Get INDEX_ALLOCATION bytes IndexAllocation IA = new IndexAllocation(attr as NonResident, volume); foreach (IndexEntry entry in IA.Entries) { if (entry.Entry.Namespace != 0x02) { StringBuilder sb = new StringBuilder(); sb.Append(path.TrimEnd('\\')); sb.Append("\\"); sb.Append(entry.Filename); entry.FullName = sb.ToString(); indexEntryList.Add(entry); } } } } } else { IndexEntry[] indexArray = new IndexEntry[1]; indexArray[0] = new IndexEntry(record); return(indexArray); } } return(indexEntryList.ToArray()); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static byte[] GetBytesByPath(string path) { FileRecord record = FileRecord.Get(path, true); return(record.GetContent(@"$Max")); }
/// <summary> /// /// </summary> /// <param name="path"></param> /// <returns></returns> public static UsnJrnlInformation GetByPath(string path) { FileRecord record = FileRecord.Get(path, true); return(new UsnJrnlInformation(record.GetContent(@"$Max"))); }
private static UsnJrnl Get(string volume, int recordnumber, long usn) { // Check for valid Volume name Helper.getVolumeName(ref volume); // Set up FileStream to read volume FileStream streamToRead = Helper.getFileStream(volume); // Get VolumeBootRecord object for logical addressing VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); FileRecord record = FileRecord.Get(volume, recordnumber, true); // Get the $J Data attribute (contains UsnJrnl details NonResident J = UsnJrnl.GetJStream(record); // Determine the length of the initial sparse pages long SparseLength = J.DataRun[0].ClusterLength * VBR.BytesPerCluster; if (usn > SparseLength) { // Subtract length of sparse data from desired usn offset long usnOffset = usn - SparseLength; // Iterate through each data run for (int i = 1; i < J.DataRun.Length; i++) { // Determine length of current DataRun long dataRunLength = J.DataRun[i].ClusterLength * VBR.BytesPerCluster; // Check if usnOffset resides in current DataRun if (dataRunLength <= usnOffset) { // If not, subtract length of DataRun from usnOffset usnOffset -= dataRunLength; } // If usnOffset resides within DataRun, parse associated UsnJrnl Entry else { // Read DataRun from disk byte[] fragmentBytes = Helper.readDrive(streamToRead, (J.DataRun[i].StartCluster * VBR.BytesPerCluster), (J.DataRun[i].ClusterLength * VBR.BytesPerCluster)); // Instatiate a byte array that is the size of a single cluster byte[] clusterBytes = new byte[VBR.BytesPerCluster]; // Iterate through the clusters in the DataRun for (int j = 0; j < J.DataRun[i].ClusterLength; j++) { // If usnOffset is not in current cluster, then subtract cluster size from offset and iterate if (VBR.BytesPerCluster <= usnOffset) { usnOffset -= VBR.BytesPerCluster; } // Else if usnOffset is in current cluster else { // Copy current cluster bytes to clusterBytes variable Array.Copy(fragmentBytes, (int)(j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length); // Parse desired UsnJrnl entry from cluster int offset = (int)usnOffset; return(new UsnJrnl(clusterBytes, volume, ref offset)); } } } } return(null); } else { throw new Exception("UsnJrnl entry has has been overwritten"); } }