/// <summary> /// The ProcessRecord method returns a Prefetch object for the File specified /// by the Path property, or iterates through all .pf files in the /// C:\Windows\Prefetch directory to output an array of Prefetch objects. /// </summary> protected override void ProcessRecord() { switch (ParameterSetName) { case "ByVolume": if (fast) { WriteObject(Prefetch.GetInstances(volume, fast)); } else { WriteObject(Prefetch.GetInstances(volume)); } break; case "ByPath": if (fast) { // Output the Prefetch object for the corresponding file WriteObject(Prefetch.Get(filePath, fast)); } else { // Output the Prefetch object for the corresponding file WriteObject(Prefetch.Get(filePath)); } break; } }
/// <summary> /// /// </summary> /// <param name="volume"></param> /// <returns></returns> public static ForensicTimeline[] GetInstances(string volume) { List <ForensicTimeline> list = new List <ForensicTimeline>(); string volLetter = Helper.GetVolumeLetter(volume); // File System list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume))); // Amcache list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume))); // Prefetch list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume))); // ScheduledJob list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume))); // UserAssist list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume))); // ShellLink list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume))); // UsnJnrl list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume))); // EventLog list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume))); // Registry list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE"))); list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM"))); return(list.ToArray()); }
protected override void ProcessRecord() { // If the FilePath parameter is used if (this.MyInvocation.BoundParameters.ContainsKey("Path")) { //Test that FilePath exists if (File.Exists(filePath)) { if (fast) { // Output the Prefetch object for the corresponding file WriteObject(Prefetch.Get(filePath, fast)); } else { // Output the Prefetch object for the corresponding file WriteObject(Prefetch.Get(filePath)); } } // If file doesnt exist, throw error else { throw new FileNotFoundException((filePath + " does not exist. Please enter a valid file path.")); } } // If no FilePath is provided, return all Prefetch files else { if (fast) { WriteObject(Prefetch.GetInstances(volume, fast)); } else { WriteObject(Prefetch.GetInstances(volume)); } } } // ProcessRecord