static void Main(string[] args) { string[] fExt = new string[1]; fExt[0] = "exe"; Dictionary <ulong, FileNameAndParentFrn> mDict = new Dictionary <ulong, FileNameAndParentFrn>(); EnumerateVolume.PInvokeWin32 mft = new EnumerateVolume.PInvokeWin32(); mft.Drive = "C:"; mft.EnumerateVolume(out mDict, new string[] { "*" }); foreach (KeyValuePair <UInt64, FileNameAndParentFrn> entry in mDict) { FileNameAndParentFrn file = (FileNameAndParentFrn)entry.Value; Console.WriteLine(file.Name + " " + file.ParentFrn); } Console.WriteLine("DONE"); Console.ReadKey(); }
static void Main(string[] args) { try { Console.WriteLine("### " + Constants.APP_SIGNATURE + " ###"); Console.WriteLine("### " + Constants.APP_URL + " ###\n"); Console.Write("Processing...\r"); Int32 unixTimestampInit = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds; string driveLetter = Properties.Settings.Default.search_volume; string fileNamePath = Properties.Settings.Default.report_folder; string fileExtension = Properties.Settings.Default.search_extensions; bool calcMd5 = Properties.Settings.Default.calc_md5; string fileNamePathRecommendation = "report_folder (" + fileNamePath + ") must be a valid folder, and the current user must have write access in it. The valid slash must be / and NOT \\."; if (!Directory.Exists(fileNamePath)) { Utils.Instance.ThrowErr(fileNamePathRecommendation); } else if (fileNamePath[fileNamePath.Length - 1] == '/') { fileNamePath = fileNamePath.Substring(0, fileNamePath.Length - 1); } if (driveLetter.Length > 1 || driveLetter.Contains(":") || fileNamePath.Contains("\\") || !fileExtension.Contains(".") || fileExtension.Contains("*")) { Utils.Instance.ThrowErr("\n\nCheck the config file:\n\n1. search_volume (" + driveLetter + ") must be JUST a NTFS volume/drive letter WITHOUT ':', like C, D, F, G, etc. The current user must have administration rights over this volume.\n\n" + "2. " + fileNamePathRecommendation + "\n\n" + "3. search_extensions (" + fileExtension + ") is the representation of a file extension, like .txt, .pdf, .doc, etc, WITH dot (.) WITHOUT asterisk (*)."); } nameLst = new List <string>(); Dictionary <ulong, FileNameAndParentFrn> mDict = new Dictionary <ulong, FileNameAndParentFrn>(); long totalBytes = 0l; EnumerateVolume.PInvokeWin32 mft = new EnumerateVolume.PInvokeWin32(); mft.Drive = driveLetter; mft.Drive = mft.Drive + ":"; mft.EnumerateVolume(out mDict); StringBuilder sb = new StringBuilder(); StringBuilder pathSb = null; String jsonFileNamePath = fileNamePath + "/" + driveLetter + "." + unixTimestampInit + ".json"; Console.Write("Volume: " + driveLetter + "\t\t\n"); Console.WriteLine("Report folder: " + fileNamePath); Console.WriteLine("Extension: " + fileExtension); long totalDriveSize = 0; try { totalDriveSize = Utils.Instance.GetDriveTotalSize(driveLetter); } catch (Exception e) { Utils.Instance.LogException(e); } if (File.Exists(jsonFileNamePath)) { File.Delete(jsonFileNamePath); Console.WriteLine("Old file deleted: " + jsonFileNamePath); } finalNameLst = new List <string>(); Console.WriteLine("MFT items: " + mDict.Count); foreach (KeyValuePair <UInt64, FileNameAndParentFrn> entry in mDict) { FileNameAndParentFrn file = (FileNameAndParentFrn)entry.Value; pathSb = new StringBuilder(); string extractedExtension = Utils.Instance.ExtractExtension(file.Name); if (extractedExtension != null && fileExtension.ToLower().Contains(extractedExtension.ToLower())) { pathSb.Append(driveLetter + ":\\"); Utils.Instance.SearchId(file.ParentFrn, mDict); nameLst.Reverse(); foreach (var item in nameLst) { pathSb.Append(item + "\\"); } pathSb.Append(file.Name); finalNameLst.Add(pathSb.ToString()); Console.Write("File references found: " + finalNameLst.Count + "\r"); nameLst.Clear(); } } Console.WriteLine(); sb.AppendLine("{\"initTime\": " + unixTimestampInit + ", \"search_volume\": \"" + driveLetter + "\", \"report_folder\": \"" + fileNamePath + "\", \"search_extensions\": \"" + fileExtension + "\", \"totalDriveSize\": " + totalDriveSize + ", \"objectLst\": ["); String comma = ", "; int notFoundCount = 0; int ownerExceptionCount = 0; int machineNameExceptionCount = 0; int fqdnExceptionCount = 0; int md5ExceptionCount = 0; for (int i = 0; i < finalNameLst.Count; i++) { String item = finalNameLst[i]; if (File.Exists(item)) { if (i + 1 == finalNameLst.Count) { comma = ""; } long fileSize = new FileInfo(item).Length; DateTime fileCreationDate = File.GetCreationTime(item); DateTime fileUpdateDate = File.GetLastWriteTime(item); string owner = "n/a"; string machineName = "n/a"; string fqdn = "n/a"; string md5Hash = ""; if (calcMd5) { try { byte[] byteArray = File.ReadAllBytes(item); string strMd5 = Utils.Instance.ByteArrayToMd5HashString(byteArray); md5Hash = ", \"md5\": \"" + strMd5 + "\""; } catch (Exception e) { md5ExceptionCount++; md5Hash = ", \"md5\": \"n/a\""; Utils.Instance.LogException(e); } } try { owner = Utils.Instance.GetOwnerName(item); } catch (Exception e) { ownerExceptionCount++; Utils.Instance.LogException(e); } finally { owner = Uri.EscapeDataString(owner); } try { machineName = Environment.MachineName; } catch (Exception e) { machineNameExceptionCount++; Utils.Instance.LogException(e); } finally { machineName = Uri.EscapeDataString(machineName); } try { fqdn = Utils.Instance.GetFQDN(); } catch (Exception e) { fqdnExceptionCount++; Utils.Instance.LogException(e); } finally { fqdn = Uri.EscapeDataString(fqdn); } sb.AppendLine("{ \"fileName\": \"" + Uri.EscapeDataString(item) + "\", \"fileSize\": " + fileSize + ", \"fileCreationDate\": \"" + fileCreationDate + "\", \"fileUpdateDate\": \"" + fileUpdateDate + "\", \"fileAuthor\": \"" + owner + "\", \"fqdn\": \"" + fqdn + "\" " + md5Hash + "}" + comma); totalBytes = fileSize + totalBytes; } else { notFoundCount++; } Console.Write("Inspecting file: " + (i + 1) + "/" + finalNameLst.Count + "\r"); } Int32 unixTimestampEnd = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds; sb.AppendLine("], \"endTime\": " + unixTimestampEnd + " }"); Utils.Instance.WriteToFile(sb.ToString(), jsonFileNamePath); Console.WriteLine("\nFile references not found: " + notFoundCount); Console.WriteLine("FQDN resolution errors: " + fqdnExceptionCount); Console.WriteLine("Machine Name resolution errors: " + machineNameExceptionCount); Console.WriteLine("File ownership resolution errors: " + ownerExceptionCount); Console.WriteLine("MD5 hash errors: " + md5ExceptionCount); Console.WriteLine("\nTotal bytes: " + Utils.Instance.FormatBytesLength(totalBytes)); Console.WriteLine("Process ended. Check the results in: " + jsonFileNamePath); Console.WriteLine("\n[PRESS ENTER]"); Console.ReadLine(); } catch (Exception e) { Utils.Instance.ThrowErr(e.Message); Utils.Instance.LogException(e); } }