/// <summary>
        /// The ProcessRecord method returns a Prefetch object for the File specified
        /// by the Path property, or iterates through all .pf files in the
        /// C:\Windows\Prefetch directory to output an array of Prefetch objects.
        /// </summary>
        protected override void ProcessRecord()
        {
            switch (ParameterSetName)
            {
            case "ByVolume":
                if (fast)
                {
                    WriteObject(Prefetch.GetInstances(volume, fast));
                }
                else
                {
                    WriteObject(Prefetch.GetInstances(volume));
                }
                break;

            case "ByPath":
                if (fast)
                {
                    // Output the Prefetch object for the corresponding file
                    WriteObject(Prefetch.Get(filePath, fast));
                }
                else
                {
                    // Output the Prefetch object for the corresponding file
                    WriteObject(Prefetch.Get(filePath));
                }
                break;
            }
        }
示例#2
0
        /// <summary>
        ///
        /// </summary>
        /// <param name="volume"></param>
        /// <returns></returns>
        public static ForensicTimeline[] GetInstances(string volume)
        {
            List <ForensicTimeline> list = new List <ForensicTimeline>();

            string volLetter = Helper.GetVolumeLetter(volume);

            // File System
            list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));

            // Amcache
            list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));

            // Prefetch
            list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));

            // ScheduledJob
            list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));

            // UserAssist
            list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));

            // ShellLink
            list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));

            // UsnJnrl
            list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));

            // EventLog
            list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));

            // Registry

            list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
            list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
            list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
            list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
            list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));

            return(list.ToArray());
        }
        protected override void ProcessRecord()
        {
            // If the FilePath parameter is used
            if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
            {
                //Test that FilePath exists
                if (File.Exists(filePath))
                {
                    if (fast)
                    {
                        // Output the Prefetch object for the corresponding file
                        WriteObject(Prefetch.Get(filePath, fast));
                    }
                    else
                    {
                        // Output the Prefetch object for the corresponding file
                        WriteObject(Prefetch.Get(filePath));
                    }
                }

                // If file doesnt exist, throw error
                else
                {
                    throw new FileNotFoundException((filePath + " does not exist.  Please enter a valid file path."));
                }
            }

            // If no FilePath is provided, return all Prefetch files
            else
            {
                if (fast)
                {
                    WriteObject(Prefetch.GetInstances(volume, fast));
                }
                else
                {
                    WriteObject(Prefetch.GetInstances(volume));
                }
            }
        } // ProcessRecord