/// <summary>
///
/// </summary>
/// <param name="input"></param>
/// <returns></returns>
public static string Get(ForensicTimeline input)
{
string type = null;
if (input.ActivityType.Contains("B"))
{
type = "A";
}
else
{
type = "M";
}
return(String.Format("{0}|{1}|{2}|{3}", Helper.ToUnixTime(input.Date), input.Source, type, input.FileName).Replace(@"\", "/"));
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}
