public static Prefetch[] GetInstances(string volume) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = volLetter + @"\Windows\Prefetch"; if (Directory.Exists(pfPath)) { var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf"); Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); int i = 0; foreach (IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes(VBR)); i++; } } return(pfArray); } else { throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled."); } } }
public static Prefetch[] GetInstances(string volume) { // Get current volume Util.getVolumeName(ref volume); // Get a handle to the volume IntPtr hVolume = Util.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = Util.getFileStream(hVolume)) { VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = volume.Split('\\')[3] + @"\Windows\Prefetch"; /*if(CheckStatus(volume.Split('\\')[3] + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED) * {*/ // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); Prefetch[] pfArray = new Prefetch[pfEntries.Length]; int i = 0; foreach (IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(Util.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetContent(VBR)); i++; } } return(pfArray); /*} * else * { * throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled."); * }*/ } }
/// <summary> /// /// </summary> /// <param name="volume"></param> /// <returns></returns> public static Prefetch[] GetInstances(string volume) { // Get current volume Helper.getVolumeName(ref volume); using (FileStream streamToRead = Helper.getFileStream(volume)) { NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord; // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch"; /*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED) * {*/ // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); Prefetch[] pfArray = new Prefetch[pfEntries.Length]; int i = 0; foreach (IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(FileRecord.Get(volume, (int)entry.RecordNumber, true).GetContent(VBR)); i++; } } return(pfArray); /*} * else * { * throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled."); * }*/ } }
public static Prefetch[] GetInstances(string volume, bool fast) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Build Prefetch directory path string prefetchPath = volLetter + @"\\Windows\\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = null; try { fileBytes = File.ReadAllBytes(pfFiles[i]); } catch (ArgumentException) { throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()"); } catch (PathTooLongException) { throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()"); } catch (DirectoryNotFoundException) { throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()"); } catch (IOException) { throw new IOException("IOException thrown by Prefetch.GetInstance()"); } catch (UnauthorizedAccessException) { throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()"); } // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return(pfArray); } else { return(null); } }
public static Prefetch[] GetInstances(string volume, bool fast) { // Get current volume Helper.getVolumeName(ref volume); // Get volume letter string volLetter = Helper.GetVolumeLetter(volume); // Build Prefetch directory path string prefetchPath = volLetter + @"\Windows\Prefetch"; // Check prefetchPath exists if (Directory.Exists(prefetchPath)) { // Get list of file in the Prefetch directory that end in the .pf extension var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf"); // Instantiate an array of Prefetch objects Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Iterate through Prefetch Files for (int i = 0; i < pfFiles.Length; i++) { // Get bytes for specific Prefetch file byte[] fileBytes = null; try { fileBytes = File.ReadAllBytes(pfFiles[i]); } catch (ArgumentException) { throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()"); } catch(PathTooLongException) { throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()"); } catch (DirectoryNotFoundException) { throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()"); } catch (IOException) { throw new IOException("IOException thrown by Prefetch.GetInstance()"); } catch (UnauthorizedAccessException) { throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()"); } // Output the Prefetch object for the corresponding file pfArray[i] = (new Prefetch(fileBytes)); } // Return array or Prefetch objects return pfArray; } else { return null; } }
public static Prefetch[] GetInstances(string volume) { // Get current volume Helper.getVolumeName(ref volume); using (FileStream streamToRead = Helper.getFileStream(volume)) { VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch"; /*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED) {*/ // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); Prefetch[] pfArray = new Prefetch[pfEntries.Length]; int i = 0; foreach(IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(Helper.GetSubArray(MFT, (int)entry.RecordNumber * 0x400, 0x400), volume, true).GetContent(VBR)); i++; } } return pfArray; /*} else { throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled."); }*/ } }
public static ForensicTimeline[] GetInstances(Prefetch[] input) { List<ForensicTimeline> list = new List<ForensicTimeline>(); foreach (Prefetch pf in input) { foreach (ForensicTimeline t in Get(pf)) { list.Add(t); } } return list.ToArray(); }
public static ForensicTimeline[] Get(Prefetch input) { List<ForensicTimeline> mactimeList = new List<ForensicTimeline>(); foreach (DateTime time in input.PrefetchAccessTime) { mactimeList.Add(new ForensicTimeline(time, "MACB", "PREFETCH", "", input.Path, input.ToString())); } return mactimeList.ToArray(); }
public static Mactime[] Get(Prefetch pf) { return null; }
public static Prefetch[] GetInstances(string volume) { // Get current volume NativeMethods.getVolumeName(ref volume); // Get volume letter string volLetter = volume.Split('\\')[3]; // Get a handle to the volume IntPtr hVolume = NativeMethods.getHandle(volume); // Create a FileStream to read from the volume handle using (FileStream streamToRead = NativeMethods.getFileStream(hVolume)) { VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead); // Get a byte array representing the Master File Table byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume); // Build Prefetch directory path string pfPath = volLetter + @"\Windows\Prefetch"; if (Directory.Exists(pfPath)) { var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf"); Prefetch[] pfArray = new Prefetch[pfFiles.Length]; // Get IndexEntry IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath); int i = 0; foreach(IndexEntry entry in pfEntries) { if (entry.Filename.Contains(".pf")) { pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes(VBR)); i++; } } return pfArray; } else { throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled."); } } }