Пример #1
0
        internal NetworkList(NamedKey nk, byte[] bytes)
        {
            WriteTime = nk.WriteTime;

            foreach (ValueKey vk in nk.GetValues(bytes))
            {
                switch (vk.Name)
                {
                    case "ProfileGuid":
                        ProfileGuid = Encoding.Unicode.GetString(vk.GetData(bytes));
                        break;
                    case "Description":
                        Description = Encoding.Unicode.GetString(vk.GetData(bytes));
                        break;
                    case "Source":
                        Source = BitConverter.ToUInt32(vk.GetData(bytes), 0x00);
                        break;
                    case "DnsSuffix":
                        DnsSuffix = Encoding.Unicode.GetString(vk.GetData(bytes));
                        break;
                    case "FirstNetwork":
                        FirstNetwork = Encoding.Unicode.GetString(vk.GetData(bytes));
                        break;
                    case "DefaultGatewayMac":
                        DefaultGatewayMac = new PhysicalAddress(vk.GetData(bytes));
                        break;
                    default:
                        break;
                }
            }
        }
Пример #2
0
        internal static NamedKey[] GetInstances(byte[] bytes, string path, string key)
        {
            NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path);

            NamedKey nk = hiveroot;

            if (key != null)
            {
                foreach (string k in key.Split('\\'))
                {
                    NamedKey startingkey = nk;
                    foreach (NamedKey n in nk.GetSubKeys(bytes))
                    {
                        if (n.Name.ToUpper() == k.ToUpper())
                        {
                            nk = n;
                        }
                    }
                    if (nk == startingkey)
                    {
                        throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path));
                    }
                }
                if (nk == hiveroot)
                {
                    throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path));
                }
            }

            return(nk.GetSubKeys(bytes));
        }
Пример #3
0
        internal static ValueKey Get(byte[] bytes, string path, string key, string val)
        {
            NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path);

            NamedKey nk = hiveroot;

            if (key != null)
            {
                foreach (string k in key.Split('\\'))
                {
                    foreach (NamedKey n in nk.GetSubKeys(bytes))
                    {
                        if (n.Name.ToUpper() == k.ToUpper())
                        {
                            nk = n;
                        }
                    }
                }
            }

            ValueKey[] values = nk.GetValues(bytes);

            foreach (ValueKey v in values)
            {
                if (v.Name.ToUpper() == val.ToUpper())
                {
                    return(v);
                }
            }

            return(null);
        }
Пример #4
0
        internal static NamedKey GetOfficeKey(byte[] bytes, string path)
        {
            string key = @"Software\Microsoft\Office";

            NamedKey OfficeKey = null;

            try
            {
                OfficeKey = NamedKey.Get(bytes, path, key);
            }
            catch
            {
                throw new Exception(String.Format("Microsoft Office is not installed on this system"));
            }

            foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes))
            {
                if (nk.Name.Contains(@".0"))
                {
                    if (nk.Name != "8.0")
                    {
                        return(nk);
                    }
                }
            }

            throw new Exception("Could not locate the Microsoft Office registry key");
        }
Пример #5
0
        internal static string GetOfficeVersion(byte[] bytes, string hivePath)
        {
            NamedKey OfficeKey = null;

            try
            {
                OfficeKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Office");
            }
            catch
            {
                throw new Exception(String.Format("Microsoft Office is not installed on this system"));
            }

            foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes))
            {
                if (nk.Name.Contains(@".0"))
                {
                    if (nk.Name != "8.0")
                    {
                        return(nk.FullName.Split('\\')[4]);
                    }
                }
            }

            throw new Exception("Could not locate the Microsoft Office registry key");
        }
Пример #6
0
        private WindowsVersion(byte[] bytes, NamedKey nk)
        {
            foreach (ValueKey vk in nk.GetValues(bytes))
            {
                switch (vk.Name)
                {
                    case "ProductName":
                        ProductName = (string)vk.GetData(bytes);
                        break;
                    case "CurrentMajorVersionNumber":
                        CurrentMajorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
                        break;
                    case "CurrentMinorVersionNumber":
                        CurrentMinorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
                        break;
                    case "CurrentVersion":
                        CurrentVersion = new Version((string)vk.GetData(bytes));
                        break;
                    case "InstallTime":
                        InstallTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
                        break;
                    case "RegisteredOwner":
                        RegisteredOwner = (string)vk.GetData(bytes);
                        break;
                    case "SystemRoot":
                        SystemRoot = (string)vk.GetData(bytes);
                        break;
                    default:
                        break;
                }
            }

            //ProductName = ;
            //CurrentVersion = ;
        }
Пример #7
0
        private NetworkList(NamedKey nk, byte[] bytes)
        {
            WriteTimeUtc = nk.WriteTime;

            foreach (ValueKey vk in nk.GetValues(bytes))
            {
                switch (vk.Name)
                {
                    case "ProfileGuid":
                        ProfileGuid = (string)vk.GetData(bytes);
                        break;
                    case "Description":
                        Description = (string)vk.GetData(bytes);
                        break;
                    case "Source":
                        Source = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
                        break;
                    case "DnsSuffix":
                        DnsSuffix = (string)vk.GetData(bytes);
                        break;
                    case "FirstNetwork":
                        FirstNetwork = (string)vk.GetData(bytes);
                        break;
                    case "DefaultGatewayMac":
                        DefaultGatewayMac = (byte[])vk.GetData(bytes);
                        break;
                    default:
                        break;
                }
            }
        }
Пример #8
0
        public static NamedKey[] GetInstancesRecurse(string path)
        {
            byte[] bytes = RegistryHelper.GetHiveBytes(path);

            NamedKey hiveroot = RegistryHelper.GetRootKey(path);

            return(GetInstances(bytes, hiveroot, true));
        }
Пример #9
0
        private UserDetail(byte[] bytes, NamedKey nk)
        {
            ValueKey[] values = nk.GetValues(bytes);
            foreach (ValueKey vk in values)
            {

            }
        }
Пример #10
0
 public static NamedKey[] GetInstances(string path, string key)
 {
     if (key == null)
     {
         return(NamedKey.GetInstances(RegistryHelper.GetHiveBytes(path), path));
     }
     else
     {
         return(NamedKey.GetInstances(RegistryHelper.GetHiveBytes(path), path, key.TrimEnd('\\')));
     }
 }
Пример #11
0
        internal UserDetail(byte[] bytes, NamedKey nk)
        {
            ValueKey[] values = nk.GetValues(bytes);
            foreach (ValueKey vk in values)
            {
                switch (vk.Name)
                {

                }
            }
        }
Пример #12
0
        internal Amcache(NamedKey nk, byte[] bytes)
        {
            /*
            Console.WriteLine(nk.Name);
            ulong FileReference = ulong.Parse(nk.Name, System.Globalization.NumberStyles.AllowHexSpecifier);
            byte[] filerefbytes = BitConverter.GetBytes(FileReference);
            SequenceNumber = (BitConverter.ToUInt16(filerefbytes, 0x06));
            RecordNumber = (BitConverter.ToUInt64(filerefbytes, 0x00) & 0x0000FFFFFFFFFFFF);
            */

            foreach (ValueKey vk in nk.GetValues(bytes))
            {
                switch (vk.Name)
                {
                    case "0":
                        ProductName = (string)vk.GetData(bytes);
                        break;
                    case "1":
                        CompanyName = (string)vk.GetData(bytes);
                        break;
                    case "6":
                        FileSize = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
                        break;
                    case "c":
                        Description = (string)vk.GetData(bytes);
                        break;
                    case "f":
                        CompileTime = Util.FromUnixTime(BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00));
                        break;
                    case "11":
                        ModifiedTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
                        break;
                    case "12":
                        BornTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[]) vk.GetData(bytes), 0x00));
                        break;
                    case "15":
                        Path = (string)vk.GetData(bytes);
                        break;
                    case "17":
                        ModifiedTime2Utc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
                        break;
                    case "101":
                        string hash = (string)vk.GetData(bytes);
                        Hash = hash.TrimStart('0');
                        break;
                    default:
                        break;
                }
            }
        }
Пример #13
0
        private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse)
        {
            List <NamedKey> keyList = new List <NamedKey>();

            foreach (NamedKey subkey in nk.GetSubKeys(bytes))
            {
                keyList.Add(subkey);

                if (subkey.NumberOfSubKeys > 0)
                {
                    keyList.AddRange(GetInstances(bytes, subkey, true));
                }
            }

            return(keyList.ToArray());
        }
Пример #14
0
 internal Amcache(NamedKey nk, byte[] bytes)
 {
     foreach(ValueKey vk in nk.GetValues(bytes))
     {
         switch(vk.Name)
         {
             case "0":
                 ProductName = Encoding.Unicode.GetString(vk.GetData(bytes));
                 break;
             case "1":
                 CompanyName = Encoding.Unicode.GetString(vk.GetData(bytes));
                 break;
             case "6":
                 FileSize = BitConverter.ToUInt32(vk.GetData(bytes), 0x00);
                 break;
             case "c":
                 Description = Encoding.Unicode.GetString(vk.GetData(bytes));
                 break;
             case "f":
                 CompileTime = new DateTime(1970, 1, 1).AddSeconds(BitConverter.ToInt32(vk.GetData(bytes), 0x00));
                 break;
             case "11":
                 ModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
                 break;
             case "12":
                 BornTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
                 break;
             case "15":
                 Path = Encoding.Unicode.GetString(vk.GetData(bytes));
                 break;
             case "17":
                 ModifiedTime2 = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
                 break;
             case "101":
                 Hash = Encoding.Unicode.GetString(vk.GetData(bytes)).TrimStart('0');
                 break;
             default:
                 break;
         }
     }
 }
Пример #15
0
        internal static ValueKey[] GetInstances(byte[] bytes, string path, string key)
        {
            NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path);

            NamedKey nk = hiveroot;

            if (key != null)
            {
                foreach (string k in key.Split('\\'))
                {
                    foreach (NamedKey n in nk.GetSubKeys(bytes))
                    {
                        if (n.Name.ToUpper() == k.ToUpper())
                        {
                            nk = n;
                        }
                    }
                }
            }

            return(nk.GetValues(bytes));
        }
Пример #16
0
        public static ValueKey Get(string path, string key, string val)
        {
            byte[] bytes = RegistryHelper.GetHiveBytes(path);

            NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path);

            NamedKey nk = hiveroot;

            if (key != null)
            {
                foreach (string k in key.Split('\\'))
                {
                    foreach (NamedKey n in nk.GetSubKeys(bytes))
                    {
                        if (n.Name.ToUpper() == k.ToUpper())
                        {
                            nk = n;
                        }
                    }
                }
                if (nk == hiveroot)
                {
                    throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path));
                }
            }

            ValueKey[] values = nk.GetValues(bytes);

            foreach (ValueKey v in values)
            {
                if (v.Name.ToUpper() == val.ToUpper())
                {
                    return(v);
                }
            }

            throw new Exception(string.Format("Cannot find value '{0}' as a value of '{1}' in the '{2}' hive because it does not exist.", val, key, path));
        }
Пример #17
0
        internal NamedKey[] GetSubKeys(byte[] bytes)
        {
            if (NumberOfSubKeys > 0)
            {
                byte[] subKeyListBytes = Util.GetSubArray(bytes, (uint)SubKeysListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.SubKeysListOffset)));
                string type            = Encoding.ASCII.GetString(subKeyListBytes, 0x04, 0x02);

                List list = List.Factory(bytes, subKeyListBytes, type);

                NamedKey[] nkArray = new NamedKey[list.Count];

                for (int i = 0; i < list.Count; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    nkArray[i] = new NamedKey(Util.GetSubArray(bytes, list.Offset[i], (uint)size), HivePath, this.FullName);
                }

                return(nkArray);
            }
            else
            {
                return(null);
            }
        }
Пример #18
0
        public static NamedKey[] GetInstances(string path, string key)
        {
            byte[] bytes = Helper.GetHiveBytes(path);

            NamedKey hiveroot = Helper.GetRootKey(bytes, path);

            NamedKey nk = hiveroot;

            if (key != null)
            {
                foreach (string k in key.Split('\\'))
                {
                    foreach (NamedKey n in nk.GetSubKeys(bytes))
                    {
                        if (n.Name.ToUpper() == k.ToUpper())
                        {
                            nk = n;
                        }
                    }
                }
            }

            return(nk.GetSubKeys(bytes));
        }
Пример #19
0
 internal WindowsVersion(NamedKey nk)
 {
     //ProductName = ;
     //CurrentVersion = ;
 }
Пример #20
0
 public static ForensicTimeline Get(NamedKey input)
 {
     return new ForensicTimeline(input.WriteTime, "MACB", "REGISTRY", "", input.FullName, input.ToString());
 }
Пример #21
0
 public static ForensicTimeline[] GetInstances(NamedKey[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (NamedKey nk in input)
     {
         list.Add(Get(nk));
     }
     return list.ToArray();
 }
Пример #22
0
 public static NamedKey[] GetInstances(string path, string key)
 {
     return(NamedKey.GetInstances(Helper.GetHiveBytes(path), path, key));
 }
Пример #23
0
        private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse)
        {
            List<NamedKey> keyList = new List<NamedKey>();

            foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName))
            {
                keyList.Add(subkey);

                if (subkey.NumberOfSubKeys > 0)
                {
                    keyList.AddRange(GetInstances(bytes, subkey, true));
                }
            }

            return keyList.ToArray();
        }
Пример #24
0
 public static NamedKey Get(string path, string key)
 {
     return(NamedKey.Get(RegistryHelper.GetHiveBytes(path), path, key.TrimEnd('\\')));
 }
Пример #25
0
        internal NamedKey[] GetSubKeys(byte[] bytes)
        {
            if (this.NumberOfSubKeys > 0)
            {
                byte[] subKeyListBytes = NativeMethods.GetSubArray(bytes, (uint)this.SubKeysListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.SubKeysListOffset)));
                string type = Encoding.ASCII.GetString(subKeyListBytes, 0x04, 0x02);

                List list = List.Factory(bytes, subKeyListBytes, type);

                NamedKey[] nkArray = new NamedKey[list.Count];

                for (int i = 0; i < list.Count; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    nkArray[i] = new NamedKey(NativeMethods.GetSubArray(bytes, (uint)list.Offset[i], (uint)size), this.HivePath);
                }

                return nkArray;
            }
            else
            {
                return null;
            }
        }
Пример #26
0
        internal static NamedKey[] GetInstances(byte[] bytes, string path)
        {
            NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path);

            return(hiveroot.GetSubKeys());
        }