internal byte[] GetBytes(VolumeBootRecord VBR) { foreach (Attr attr in this.Attribute) { if (attr.Name == Attr.ATTR_TYPE.DATA) { if (attr.NonResident) { return((attr as NonResident).GetBytes(this.VolumePath, VBR)); } else { return((attr as Data).RawData); } } else if (attr.Name == Attr.ATTR_TYPE.ATTRIBUTE_LIST) { AttributeList attrlist = attr as AttributeList; foreach (AttrRef ar in attrlist.AttributeReference) { if (ar.Name == "DATA") { FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, true); return(record.GetBytes()); } } } } throw new Exception("Could not locate file contents"); }
public static FileRecord[] GetInstances(string volume) { FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, 0), volume, true); byte[] mftBytes = record.GetBytes(); return(GetInstances(mftBytes, volume)); }
public static FileRecord Get(string path, bool fast) { string volume = NativeMethods.GetVolumeFromPath(path); IndexEntry entry = IndexEntry.Get(path); return(new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, fast)); }
public byte[] GetTestContent(string streamName) { foreach (Attr attr in this.Attribute) { if (attr.Name == Attr.ATTR_TYPE.DATA) { if (attr.NameString.ToUpper() == streamName.ToUpper()) { if (attr.NonResident) { return((attr as NonResident).GetBytes(this.VolumePath)); } else { return((attr as Data).RawData); } } } AttributeList attrList = attr as AttributeList; if (attrList != null) { foreach (AttrRef ar in attrList.AttributeReference) { if (ar.Name == "DATA") { FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, true); return(record.GetTestContent(streamName)); } } } } throw new Exception("Could not locate desired stream"); }
public static Bitmap[] GetInstances(string volume) { // Get the proper data stream from the FileRecord NonResident dataStream = Bitmap.GetDataStream(new FileRecord(FileRecord.GetRecordBytes(volume, MftIndex.BITMAP_INDEX), volume, true)); // Call GetInstances to return all associated Bitmap Values return(GetInstances(dataStream.GetBytes(volume))); }
public static FileRecord[] GetInstancesByPath(string path) { string volume = NativeMethods.GetVolumeFromPath(path); FileRecord record = new FileRecord(FileRecord.GetRecordBytes(path), volume, true); byte[] mftBytes = record.GetBytes(); return(GetInstances(mftBytes, volume)); }
public static Bitmap[] GetInstancesByPath(string path) { // Get Volume string from specified path string volume = Helper.GetVolumeFromPath(path); // Determine Record Number for specified file IndexEntry entry = IndexEntry.Get(path); // Get the proper data stream from the FileRecord NonResident dataStream = Bitmap.GetDataStream(new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, true)); // Call GetInstances to return all associated Bitmap Values return(GetInstances(dataStream.GetBytes(volume))); }
// TODO: Add Encoding parameter // TODO: Add DataStream parameter #region GetContentMethods public byte[] GetContent() { foreach (FileRecordAttribute attr in this.Attribute) { if (attr.Name == FileRecordAttribute.ATTR_TYPE.DATA) { if (attr.NameString == "") { if (attr.NonResident) { return((attr as NonResident).GetBytes(this.VolumePath)); } else { return((attr as Data).RawData); } } } else if (attr.Name == FileRecordAttribute.ATTR_TYPE.ATTRIBUTE_LIST) { VolumeBootRecord vbr = VolumeBootRecord.Get(this.VolumePath); AttributeList attrlist = attr as AttributeList; foreach (AttrRef ar in attrlist.AttributeReference) { if (ar.Name == "DATA") { if (ar.NameString == "") { FileRecord record = new FileRecord(FileRecord.GetRecordBytes(this.VolumePath, (int)ar.RecordNumber), this.VolumePath, (int)vbr.BytesPerFileRecord, true); return(record.GetContent()); } } } } } throw new Exception("Could not locate file contents"); }
internal static NonResident GetJStream(FileRecord fileRecord) { foreach (FileRecordAttribute attr in fileRecord.Attribute) { if (attr.NameString == "$J") { return(attr as NonResident); } AttributeList attrList = attr as AttributeList; if (attrList != null) { foreach (AttrRef ar in attrList.AttributeReference) { if (ar.NameString == "$J") { FileRecord record = new FileRecord(FileRecord.GetRecordBytes(fileRecord.VolumePath, (int)ar.RecordNumber), fileRecord.VolumePath, true); return(GetJStream(record)); } } } } throw new Exception("No $J attribute found."); }
internal FileRecord(byte[] recordBytes, string volume, bool fast) { VolumePath = volume; Signature = Encoding.ASCII.GetString(recordBytes, 0x00, 0x04); if (Signature == "FILE") { // Parse File Record Header OffsetOfUS = BitConverter.ToUInt16(recordBytes, 4); SizeOfUS = BitConverter.ToUInt16(recordBytes, 6); UpdateSequenceNumber = BitConverter.ToUInt16(recordBytes, OffsetOfUS); #region UpdateSequenceArray UpdateSequenceArray = new byte[(2 * SizeOfUS) - 2]; Array.Copy(recordBytes, (OffsetOfUS + 2), UpdateSequenceArray, 0, UpdateSequenceArray.Length); #endregion UpdateSequenceArray LogFileSequenceNumber = BitConverter.ToUInt64(recordBytes, 8); SequenceNumber = BitConverter.ToUInt16(recordBytes, 16); Hardlinks = BitConverter.ToUInt16(recordBytes, 18); OffsetOfAttribute = BitConverter.ToUInt16(recordBytes, 20); Flags = BitConverter.ToUInt16(recordBytes, 22); #region Deleted if ((Flags & (ushort)FILE_RECORD_FLAG.INUSE) == (ushort)FILE_RECORD_FLAG.INUSE) { Deleted = false; } else { Deleted = true; } #endregion Deleted #region Directory if ((Flags & (ushort)FILE_RECORD_FLAG.DIR) == (ushort)FILE_RECORD_FLAG.DIR) { Directory = true; } else { Directory = false; } #endregion Directory RealSize = BitConverter.ToUInt32(recordBytes, 24); AllocatedSize = BitConverter.ToUInt32(recordBytes, 28); ReferenceToBase = BitConverter.ToUInt64(recordBytes, 32); NextAttrId = BitConverter.ToUInt16(recordBytes, 40); RecordNumber = BitConverter.ToUInt32(recordBytes, 44); #region Attribute // Create a byte array representing the attribute array byte[] attrArrayBytes = new byte[RealSize - OffsetOfAttribute]; Array.Copy(recordBytes, OffsetOfAttribute, attrArrayBytes, 0, attrArrayBytes.Length); // Instantiate an empty list of Attr Objects (We don't know how many attributes the record contains) List <Attr> AttributeList = new List <Attr>(); // Initialize the offset value to 0 int currentOffset = 0; if (currentOffset < (attrArrayBytes.Length - 8)) { do { // Get attribute size int attrSizeOffset = currentOffset + 4; int attrSize = BitConverter.ToInt32(attrArrayBytes, attrSizeOffset); // Create new byte array with just current attribute's bytes byte[] currentAttrBytes = new byte[attrSize]; Array.Copy(attrArrayBytes, currentOffset, currentAttrBytes, 0, currentAttrBytes.Length); // Increment currentOffset currentOffset += attrSize; Attr attr = AttributeFactory.Get(currentAttrBytes, volume); if (attr != null) { if (attr.Name == Attr.ATTR_TYPE.STANDARD_INFORMATION) { StandardInformation stdInfo = attr as StandardInformation; ModifiedTime = stdInfo.ModifiedTime; AccessedTime = stdInfo.AccessedTime; ChangedTime = stdInfo.ChangedTime; BornTime = stdInfo.BornTime; Permission = stdInfo.Permission; } else if (attr.Name == Attr.ATTR_TYPE.FILE_NAME) { FileName fN = attr as FileName; if (!(fN.Namespace == 2)) { Name = fN.Filename; ParentSequenceNumber = fN.ParentSequenceNumber; ParentRecordNumber = fN.ParentRecordNumber; FNModifiedTime = fN.ModifiedTime; FNAccessedTime = fN.AccessedTime; FNChangedTime = fN.ChangedTime; FNBornTime = fN.BornTime; } } AttributeList.Add(attr); } } while (currentOffset < (attrArrayBytes.Length - 8)); } Attribute = AttributeList.ToArray(); #endregion Attribute #region FullName if (fast) { FullName = Name; } else { StringBuilder sb = new StringBuilder(); if (RecordNumber == 0) { sb.Append(volume.Split('\\')[3]); sb.Append('\\'); sb.Append(Name); FullName = sb.ToString(); } else if (RecordNumber == 5) { FullName = volume.Split('\\')[3]; } else { FileRecord parent = new FileRecord(FileRecord.GetRecordBytes(volume, (int)ParentRecordNumber), volume, false); if (parent.SequenceNumber == this.ParentSequenceNumber) { sb.Append(parent.FullName); } else { sb.Append(@"$OrphanFiles"); } if (Name != null) { sb.Append('\\'); FullName = sb.Append(Name).ToString(); } else { FullName = sb.ToString(); } } } #endregion FullName } }
public static FileRecord Get(string volume, int index, bool fast) { return(new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, fast)); }
/// <summary> /// /// </summary> /// <returns></returns> public byte[] GetMftSlack() { byte[] bytes = FileRecord.GetRecordBytes(this.VolumePath, (int)this.RecordNumber); return(Helper.GetSubArray(bytes, this.RealSize - 1, this.AllocatedSize - this.RealSize)); }
public static IndexEntry[] GetInstances(string path) { string[] paths = path.TrimEnd('\\').Split('\\'); // Determine Volume Name string volume = Util.GetVolumeFromPath(path); // Test volume path Util.getVolumeName(ref volume); int index = -1; List <IndexEntry> indexEntryList = new List <IndexEntry>(); for (int i = 0; i < paths.Length; i++) { if (index == -1) { index = 5; } else { bool match = false; foreach (IndexEntry entry in indexEntryList) { if (entry.Entry.Filename.ToUpper() == paths[i].ToUpper()) { index = (int)entry.RecordNumber; match = true; } } if (!(match)) { throw new Exception("Path " + path + " not found."); } } FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true); indexEntryList.Clear(); if (record.Directory) { foreach (Attr attr in record.Attribute) { if (attr.Name == Attr.ATTR_TYPE.INDEX_ROOT) { try { foreach (IndexEntry entry in (attr as IndexRoot).Entries) { if (entry.Entry.Namespace != 0x02) { StringBuilder sb = new StringBuilder(); sb.Append(path.TrimEnd('\\')); sb.Append("\\"); sb.Append(entry.Filename); entry.FullName = sb.ToString(); indexEntryList.Add(entry); } } } catch { return(null); } } else if (attr.Name == Attr.ATTR_TYPE.INDEX_ALLOCATION) { // Get INDEX_ALLOCATION bytes IndexAllocation IA = new IndexAllocation(attr as NonResident, volume); foreach (IndexEntry entry in IA.Entries) { if (entry.Entry.Namespace != 0x02) { StringBuilder sb = new StringBuilder(); sb.Append(path.TrimEnd('\\')); sb.Append("\\"); sb.Append(entry.Filename); entry.FullName = sb.ToString(); indexEntryList.Add(entry); } } } } } else { IndexEntry[] indexArray = new IndexEntry[1]; indexArray[0] = new IndexEntry(record); return(indexArray); } } return(indexEntryList.ToArray()); }