public string FindPhysicalPath(string filepath, ref PrefetchInfoClass pf) { int pos = FindLastDash(Path.GetFileName(filepath)); if (pos > 0){ string[] szName = Path.GetFileName(filepath).Split('-'); pf.NameWithoutHash = szName[0]; int hoho = pf.FilesAccessed.Count(); for (int g = 0; g<pf.FilesAccessed.Length; g++){ if (pf.FilesAccessed[g].IndexOf(pf.NameWithoutHash) > 0) { return pf.FilesAccessed[g]; } } } return ""; }
private void parsepf(string[] j) { ClearScreen(); tabControl1.TabPages[0].Text = "File Accessed"; tabControl1.TabPages[1].Text = "Volume Information"; Stopwatch stopwatch = new Stopwatch(); stopwatch.Start(); DataTable dtPrefetchInfo = new DataTable("pfinfo"); DataTable dtPrefetchSubInfo = new DataTable("pfinfosub"); DataTable dtPrefetchVolInfo = new DataTable("pvolfosub"); dtPrefetchInfo.Columns.Add("FileName", typeof(string)); dtPrefetchInfo.Columns.Add("Boot Process Name", typeof(string)); dtPrefetchInfo.Columns.Add("Hash Value", typeof(string)); dtPrefetchInfo.Columns.Add("Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("2nd Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("3rd Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("4th Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("5th Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("6th Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("7th Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("8th Last Run Time (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("Run Count", typeof(int)); dtPrefetchInfo.Columns.Add("Volume Serial", typeof(string)); dtPrefetchInfo.Columns.Add("Volume Created Date (UTC)", typeof(DateTime)); dtPrefetchInfo.Columns.Add("MD5 Hash", typeof(string)); dtPrefetchSubInfo.Columns.Add("FileName", typeof(string)); dtPrefetchSubInfo.Columns.Add("Path", typeof(string)); dtPrefetchVolInfo.Columns.Add("FileName", typeof(string)); dtPrefetchVolInfo.Columns.Add("Path", typeof(string)); PrefetchProcessingClass pfProcessing = new PrefetchProcessingClass(); PrefetchInfoClass pf = new PrefetchInfoClass(); bool isVista = false, isWin8 = false; foreach (string filepath in j) { if (pfProcessing.IsPrefetchFile(filepath)) { try { if (pfProcessing.CheckHeader(filepath, ref isVista, ref isWin8)) { pf.IsVista = isVista; pf.IsWin8 = isWin8; pf.FilePath = filepath; pfProcessing.ParsePfFile(filepath, ref pf); string mD5HashFromFile = GetMD5HashFromFile(pf.FilePath); DateTime? myTime = null; if (!isWin8) { dtPrefetchInfo.Rows.Add(new object[]{ Path.GetFileName(pf.FilePath), pf.NameWithoutHash, pf.PathHash, pf.LastRun, myTime, myTime, myTime, myTime, myTime, myTime, myTime, pf.NumTimesExecuted, pf.VolumeInfo[0].Serial, pf.VolumeInfo[0].CreatedDate, mD5HashFromFile }); } else { dtPrefetchInfo.Rows.Add(new object[]{ Path.GetFileName(pf.FilePath), pf.NameWithoutHash, pf.PathHash, pf.LastRun, pf.LastRun2, pf.LastRun3, pf.LastRun4, pf.LastRun5, pf.LastRun6, pf.LastRun7, pf.LastRun8, pf.NumTimesExecuted, pf.VolumeInfo[0].Serial, pf.VolumeInfo[0].CreatedDate, mD5HashFromFile }); } int iVolInfoCount = pf.VolumeInfo.Count(); for (int k = 0; k < iVolInfoCount; k++) { if (pf.VolumeInfo[k] != null) { int iFolderCount = pf.VolumeInfo[k].FolderPaths.Count(); for (int m = 0; m < iFolderCount; m++) { dtPrefetchVolInfo.Rows.Add(new object[] { Path.GetFileName(pf.FilePath), pf.VolumeInfo[k].FolderPaths[m] }); } } } int iFileInfoCount = pf.FilesAccessed.Count(); for (int f = 0; f < iFileInfoCount; f++) { dtPrefetchSubInfo.Rows.Add(new object[] { Path.GetFileName(pf.FilePath), pf.FilesAccessed[f] }); } dataGridView.DataSource = dtPrefetchInfo; dataGridView.Visible = true; dataGridView.Enabled = true; dataGridpfFile.DataSource = dtPrefetchSubInfo; dataGridpfFile.Visible = true; dataGridpfFile.Enabled = true; dataGridpfVolume.DataSource = dtPrefetchVolInfo; dataGridpfVolume.Visible = true; dataGridpfVolume.Enabled = true; exportToToolStripMenuItem.Visible = true; xMLToolStripMenuItem.Visible = true; cSVToolStripMenuItem.Visible = true; dataGridView.Columns["Last Run Time (UTC)"].DefaultCellStyle.Format = "dd/MM/yyyy HH:mm:ss"; dataGridView.Columns["Volume Created Date (UTC)"].DefaultCellStyle.Format = "dd/MM/yyyy HH:mm:ss"; if (!isWin8) { dataGridView.Columns["2nd Last Run Time (UTC)"].Visible = false; dataGridView.Columns["3rd Last Run Time (UTC)"].Visible = false; dataGridView.Columns["4th Last Run Time (UTC)"].Visible = false; dataGridView.Columns["5th Last Run Time (UTC)"].Visible = false; dataGridView.Columns["6th Last Run Time (UTC)"].Visible = false; dataGridView.Columns["7th Last Run Time (UTC)"].Visible = false; dataGridView.Columns["8th Last Run Time (UTC)"].Visible = false; } stopwatch.Stop(); // TSSLabel.Text = iNum + " files parsed."; string str = stopwatch.Elapsed.TotalSeconds.ToString(); TSSLabel2.Text = "Take taken: " + str + " seconds."; } } finally { } } } }
public void ReadPaths(string filepath, int iOffset, int size, ref PrefetchInfoClass pf) { int sizeread = 0; List<string> szFileAccessed = new List<string>(); List<string> szActualFileAccessed = new List<string>(); byte[] buffer = new byte[260]; string szTemp = ""; Stream s = new FileStream(filepath, FileMode.Open, FileAccess.ReadWrite, FileShare.Read); while (new FileInfo(filepath).Length != 0 && sizeread<size){ s.Seek(iOffset, SeekOrigin.Begin); s.Read(buffer, 0, 260); sizeread += buffer.Length; szTemp += Encoding.Unicode.GetString(buffer).TrimEnd('\0'); iOffset += 260; } szFileAccessed = szTemp.Split(new char[] {'\0'}, StringSplitOptions.RemoveEmptyEntries).ToList(); int i = szFileAccessed.Count; for(int j=0; j<i-1; j++){ if (szFileAccessed[j].Length>27) { szActualFileAccessed.Add(szFileAccessed[j]); } } pf.FilesAccessed = szActualFileAccessed.ToArray(); s.Close(); }
public void ParsePfFile(string filepath, ref PrefetchInfoClass pf) { byte[] array = new byte[4]; byte[] timearray = new byte[8]; BinaryReader binaryReader = new BinaryReader(File.Open(filepath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)); binaryReader.BaseStream.Position = 0x4C; binaryReader.Read(array, 0, 4); pf.PathHash = bytestostring_littleendian(array); binaryReader.BaseStream.Position = 0x64; binaryReader.Read(array, 0, 4); int pathoffsets = BitConverter.ToInt32(array, 0); binaryReader.BaseStream.Position = 0x68; binaryReader.Read(array, 0, 4); int size = BitConverter.ToInt32(array, 0); binaryReader.BaseStream.Position = 0x6C; binaryReader.Read(array, 0, 4); int volInfoOffset = BitConverter.ToInt32(array, 0); if( pf.IsWin8 ){ binaryReader.BaseStream.Position = 0xD0; }else if (pf.IsVista){ binaryReader.BaseStream.Position = 0x98; }else{ binaryReader.BaseStream.Position = 0x90; } binaryReader.Read(array, 0, 4); int iNumExecuted = BitConverter.ToInt32(array, 0); pf.NumTimesExecuted = iNumExecuted; if (pf.IsVista || pf.IsWin8){ binaryReader.BaseStream.Position = 0x80; }else{ binaryReader.BaseStream.Position = 0x78; } binaryReader.Read(timearray, 0, 8); DateTime dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun = dateTime; if (pf.IsWin8){ // Now checking for for the last 8 timestamps! binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun2 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun3 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun4 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun5 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun6 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun7 = dateTime; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); pf.LastRun8 = dateTime; } binaryReader.BaseStream.Position = pathoffsets; ReadPaths(filepath, pathoffsets, size, ref pf); binaryReader.BaseStream.Position = volInfoOffset; binaryReader.Read(array, 0, 4); int iLen = BitConverter.ToInt32(array, 0); long endpos = volInfoOffset + iLen; int iBug = 0; int iPosition = volInfoOffset + 4; while (iLen > 0 && endpos > iPosition){ // Jump backwards 4 bytes iPosition -= 0x4; binaryReader.BaseStream.Position -= 0x4; PrefetchVolInfoClass vi = new PrefetchVolInfoClass(); binaryReader.Read(array, 0, 4); int iVolTemp = BitConverter.ToInt32(array, 0); vi.VolumePathOffset = iVolTemp; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.VolumePathLength = iVolTemp; binaryReader.Read(timearray, 0, 8); dateTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(timearray, 0)); vi.CreatedDate = dateTime; binaryReader.Read(array, 0, 4); string szSerial = bytestostring_littleendian(array); vi.Serial = szSerial; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.Blob1Offset = iVolTemp; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.Blob1Length = iVolTemp; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.FolderPathOffset = iVolTemp; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.NumFolderPaths = iVolTemp; binaryReader.Read(array, 0, 4); iVolTemp = BitConverter.ToInt32(array, 0); vi.Unknown = iVolTemp; pf.VolumeInfo[iBug] = vi; if (pf.IsVista || pf.IsWin8){ binaryReader.BaseStream.Position += 64; } binaryReader.Read(array, 0, 4); iLen = BitConverter.ToInt32(array, 0); if (++iBug >= 16){ //break while, may happen for invalid file!! break; } iPosition = (int)binaryReader.BaseStream.Position; } binaryReader.Close(); int gg = pf.VolumeInfo.Length; for(int j=0; j<pf.VolumeInfo.Count(); j++){ if(pf.VolumeInfo[j]!=null) pf.VolumeInfo[j].ParseInfo(volInfoOffset, filepath); } pf.PhysicalPath = FindPhysicalPath(filepath, ref pf); if (pf.PhysicalPath!=null){ if (pf.Equals("NTOSBOOT-B00DFAAD.pf")) { pf.CalcHash = 0xB00DFAAD; } else { pf.CalcHash = (pf.IsVista || pf.IsWin8) ? GenerateVistaHash(pf.PhysicalPath) : GenerateXpHash(pf.PhysicalPath); } } binaryReader.Close(); }