├── .gitattributes ├── .gitignore ├── Indx2Csv.au3 ├── Indx2Csv.exe ├── Indx2Csv64.exe ├── LICENSE.md ├── changelog.txt ├── db-schema-INDX-I30.sql ├── db-schema-INDX-ObjIdO.sql ├── db-schema-INDX-ReparseR.sql ├── db-schema-bodyfile.sql ├── db-schema-log2timeline.sql ├── import-sql ├── import-csv-INDX-I30.sql ├── import-csv-INDX-objido.sql ├── import-csv-INDX-reparser.sql ├── import-csv-bodyfile-INDX.sql └── import-csv-l2t-INDX.sql └── readme.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear on external disk 35 | .Spotlight-V100 36 | .Trashes 37 | 38 | # Directories potentially created on remote AFP share 39 | .AppleDB 40 | .AppleDesktop 41 | Network Trash Folder 42 | Temporary Items 43 | .apdisk 44 | -------------------------------------------------------------------------------- /Indx2Csv.au3: -------------------------------------------------------------------------------- 1 | #Region ;**** Directives created by AutoIt3Wrapper_GUI **** 2 | #AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\au3.ico 3 | #AutoIt3Wrapper_Outfile=Indx2Csv.exe 4 | #AutoIt3Wrapper_Outfile_x64=Indx2Csv64.exe 5 | #AutoIt3Wrapper_Compile_Both=y 6 | #AutoIt3Wrapper_UseX64=y 7 | #AutoIt3Wrapper_Change2CUI=y 8 | #AutoIt3Wrapper_Res_Comment=Decode INDX records 9 | #AutoIt3Wrapper_Res_Description=Decode INDX records 10 | #AutoIt3Wrapper_Res_Fileversion=1.0.0.14 11 | #AutoIt3Wrapper_Res_LegalCopyright=Joakim Schicht 12 | #AutoIt3Wrapper_AU3Check_Parameters=-w 3 -w 5 13 | #AutoIt3Wrapper_Run_Au3Stripper=y 14 | #Au3Stripper_Parameters=/sf /sv /rm /pe 15 | #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** 16 | ;Program assumes input file like IndxCarver creates. 17 | #Include 18 | #Include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #Include 25 | Global $de="|", $PrecisionSeparator=".", $PrecisionSeparator2="",$DateTimeFormat, $TimestampPrecision,$IndxEntriesI30CsvFile,$IndxEntriesI30Csv,$CurrentFileOffset,$UTCconfig,$myctredit,$SeparatorInput 26 | Global $TimestampErrorVal = "0000-00-00 00:00:00",$ExampleTimestampVal = "01CD74B3150770B8", $IndxEntriesObjIdOCsvFile, $IndxEntriesObjIdOCsv, $IndxEntriesReparseRCsvFile, $IndxEntriesReparseRCsv 27 | Global $DoDefaultAll, $Dol2t, $DoBodyfile, $hDebugOutFile, $MaxRecords, $CurrentRecord, $WithQuotes, $EncodingWhenOpen = 2, $DoParseSlack=1, $DoFixups=1 28 | Global $CheckSlack,$CheckFixups,$CheckUnicode,$checkquotes 29 | Global $begin, $ElapsedTime, $EntryCounter, $ScanMode, $SectorSize=512, $ExtendedNameCheckChar=1, $ExtendedNameCheckWindows=1, $ExtendedNameCheckAll=1, $ExtendedTimestampCheck=1, $StrictNameCheck=1 30 | Global $ProgressStatus, $ProgressIndx, $IsNotLeafNode, $IndxCurrentVcn 31 | Global $RecordOffset,$IndxLastLsn,$FromIndxSlack,$MFTReference,$MFTReferenceSeqNo,$IndexFlags,$MFTReferenceOfParent,$MFTReferenceOfParentSeqNo 32 | Global $Indx_CTime,$Indx_ATime,$Indx_MTime,$Indx_RTime,$Indx_AllocSize,$Indx_RealSize,$Indx_File_Flags,$Indx_ReparseTag,$Indx_FileName,$Indx_NameSpace,$SubNodeVCN,$TextInformation 33 | Global $SkipUnicodeNames = 1 ;Will improve recovery of entries from slack 34 | Global $_COMMON_KERNEL32DLL=DllOpen("kernel32.dll"),$outputpath=@ScriptDir,$ParserOutDir 35 | Global $INDXsig = "494E4458", $INDX_Size = 4096, $BinaryFragment, $RegExPatternHexNotNull = "[1-9a-fA-F]", $CleanUp=0, $VerifyFragment=0, $OutFragmentName="OutFragment.bin", $RebuiltFragment 36 | Global $tDelta = _WinTime_GetUTCToLocalFileTimeDelta() 37 | Global $TimeDiff = 5748192000000000 38 | Global $TSCheckLow = 112589990684262400 ;1957-10-14 39 | Global $TSCheckHigh = 139611588448485376 ;2043-05-31 40 | Global $CharsToGrabDate, $CharStartTime, $CharsToGrabTime 41 | 42 | $Progversion = "Indx2Csv 1.0.0.14" 43 | If $cmdline[0] > 0 Then 44 | $CommandlineMode = 1 45 | ConsoleWrite($Progversion & @CRLF) 46 | _GetInputParams() 47 | _Main() 48 | Else 49 | DllCall("kernel32.dll", "bool", "FreeConsole") 50 | $CommandlineMode = 0 51 | 52 | $Form = GUICreate($Progversion, 540, 350, -1, -1) 53 | 54 | $LabelTimestampFormat = GUICtrlCreateLabel("Timestamp format:",20,20,90,20) 55 | $ComboTimestampFormat = GUICtrlCreateCombo("", 110, 20, 30, 25) 56 | $LabelTimestampPrecision = GUICtrlCreateLabel("Precision:",150,20,50,20) 57 | $ComboTimestampPrecision = GUICtrlCreateCombo("", 200, 20, 70, 25) 58 | 59 | $LabelPrecisionSeparator = GUICtrlCreateLabel("Precision separator:",280,20,100,20) 60 | $PrecisionSeparatorInput = GUICtrlCreateInput($PrecisionSeparator,380,20,15,20) 61 | $LabelPrecisionSeparator2 = GUICtrlCreateLabel("Precision separator2:",400,20,100,20) 62 | $PrecisionSeparatorInput2 = GUICtrlCreateInput($PrecisionSeparator2,505,20,15,20) 63 | 64 | $InputExampleTimestamp = GUICtrlCreateInput("",340,45,190,20) 65 | GUICtrlSetState($InputExampleTimestamp, $GUI_DISABLE) 66 | 67 | $Label1 = GUICtrlCreateLabel("Set decoded timestamps to specific region:",20,45,230,20) 68 | $Combo2 = GUICtrlCreateCombo("", 230, 45, 85, 25) 69 | 70 | $LabelSeparator = GUICtrlCreateLabel("Set separator:",20,70,70,20) 71 | $SeparatorInput = GUICtrlCreateInput($de,90,70,20,20) 72 | $SeparatorInput2 = GUICtrlCreateInput($de,120,70,30,20) 73 | GUICtrlSetState($SeparatorInput2, $GUI_DISABLE) 74 | $checkquotes = GUICtrlCreateCheckbox("Quotation mark", 160, 70, 90, 20) 75 | GUICtrlSetState($checkquotes, $GUI_UNCHECKED) 76 | $CheckUnicode = GUICtrlCreateCheckbox("Unicode", 255, 70, 60, 20) 77 | GUICtrlSetState($CheckUnicode, $GUI_UNCHECKED) 78 | $CheckSlack = GUICtrlCreateCheckbox("Slack", 320, 70, 60, 20) 79 | GUICtrlSetState($CheckSlack, $GUI_CHECKED) 80 | GUICtrlSetState($CheckSlack, $GUI_DISABLE) 81 | $CheckFixups = GUICtrlCreateCheckbox("Apply fixups", 320, 95, 75, 20) 82 | GUICtrlSetState($CheckFixups, $GUI_CHECKED) 83 | ;$CheckCleanUp = GUICtrlCreateCheckbox("CleanUp", 320, 120, 75, 20) 84 | ;GUICtrlSetState($CheckCleanUp, $GUI_UNCHECKED) 85 | 86 | $checkl2t = GUICtrlCreateRadio("log2timeline", 20, 100, 110, 20) 87 | ;$checkl2t = GUICtrlCreateCheckbox("log2timeline", 20, 100, 130, 20) 88 | ;GUICtrlSetState($checkl2t, $GUI_UNCHECKED) 89 | ;GUICtrlSetState($checkl2t, $GUI_DISABLE) 90 | $checkbodyfile = GUICtrlCreateRadio("bodyfile", 20, 120, 100, 20) 91 | ;$checkbodyfile = GUICtrlCreateCheckbox("bodyfile", 20, 120, 130, 20) 92 | ;GUICtrlSetState($checkbodyfile, $GUI_UNCHECKED) 93 | ;GUICtrlSetState($checkbodyfile, $GUI_DISABLE) 94 | $checkdefaultall = GUICtrlCreateRadio("dump everything", 20, 140, 110, 20) 95 | ;$checkdefaultall = GUICtrlCreateCheckbox("dump everything", 20, 140, 130, 20) 96 | ;GUICtrlSetState($checkdefaultall, $GUI_CHECKED) 97 | ;GUICtrlSetState($checkdefaultall, $GUI_DISABLE) 98 | 99 | $ComboScanMode = GUICtrlCreateCombo("", 200, 100, 35, 20) 100 | $LabelScanMode = GUICtrlCreateLabel("Scan mode:",130,100,60,20) 101 | 102 | $LabelUsnPageSize = GUICtrlCreateLabel("INDX Size:",130,145,70,20) 103 | $IndxSizeInput = GUICtrlCreateInput($INDX_Size,200,145,40,20) 104 | 105 | $LabelTimestampError = GUICtrlCreateLabel("Timestamp ErrorVal:",290,145,100,20) 106 | $TimestampErrorInput = GUICtrlCreateInput($TimestampErrorVal,390,145,130,20) 107 | 108 | $ButtonOutput = GUICtrlCreateButton("Change Output", 420, 70, 100, 20) 109 | $ButtonInput = GUICtrlCreateButton("Browse INDX", 420, 95, 100, 20) 110 | $ButtonStart = GUICtrlCreateButton("Start Parsing", 420, 120, 100, 20) 111 | $myctredit = GUICtrlCreateEdit("", 0, 170, 540, 100, BitOR($ES_AUTOVSCROLL,$WS_VSCROLL)) 112 | _GUICtrlEdit_SetLimitText($myctredit, 128000) 113 | 114 | _InjectTimeZoneInfo() 115 | _InjectTimestampFormat() 116 | _InjectTimestampPrecision() 117 | _InjectScanMode() 118 | $PrecisionSeparator = GUICtrlRead($PrecisionSeparatorInput) 119 | $PrecisionSeparator2 = GUICtrlRead($PrecisionSeparatorInput2) 120 | _TranslateTimestamp() 121 | 122 | GUISetState(@SW_SHOW) 123 | 124 | While 1 125 | $nMsg = GUIGetMsg() 126 | Sleep(50) 127 | _TranslateSeparator() 128 | $PrecisionSeparator = GUICtrlRead($PrecisionSeparatorInput) 129 | $PrecisionSeparator2 = GUICtrlRead($PrecisionSeparatorInput2) 130 | _TranslateTimestamp() 131 | Select 132 | Case $nMsg = $ButtonOutput 133 | $newoutputpath = FileSelectFolder("Select output folder.", "",7,$outputpath) 134 | If Not @error then 135 | _DisplayInfo("New output folder: " & $newoutputpath & @CRLF) 136 | $ParserOutDir = $newoutputpath 137 | EndIf 138 | Case $nMsg = $ButtonInput 139 | $BinaryFragment = FileOpenDialog("Select INDX extracted chunk",@ScriptDir,"All (*.*)") 140 | If Not @error Then _DisplayInfo("Input: " & $BinaryFragment & @CRLF) 141 | Case $nMsg = $ButtonStart 142 | _Main() 143 | GUICtrlSetState($checkl2t, $GUI_UNCHECKED) 144 | GUICtrlSetState($checkbodyfile, $GUI_UNCHECKED) 145 | GUICtrlSetState($checkdefaultall, $GUI_UNCHECKED) 146 | Case $nMsg = $GUI_EVENT_CLOSE 147 | Exit 148 | EndSelect 149 | WEnd 150 | EndIf 151 | 152 | Func _Main() 153 | Local $nBytes 154 | If Not FileExists($BinaryFragment) Then 155 | ConsoleWrite("Error could not locate input" & @CRLF) 156 | EndIf 157 | $hFile = _WinAPI_CreateFile("\\.\" & $BinaryFragment,2,2,7) 158 | If $hFile = 0 Then 159 | ConsoleWrite("CreateFile: " & _WinAPI_GetLastErrorMessage() & @CRLF) 160 | Exit 161 | EndIf 162 | 163 | If $CommandlineMode Then 164 | $TestUnicode = $CheckUnicode 165 | Else 166 | $TestUnicode = GUICtrlRead($CheckUnicode) 167 | EndIf 168 | ConsoleWrite("$TestUnicode: " & $TestUnicode & @CRLF) 169 | If $TestUnicode = 1 Then 170 | ;$EncodingWhenOpen = 2+32 ;ucs2 171 | $EncodingWhenOpen = 2+128 ;utf8 w/bom 172 | ; If Not $CommandlineMode Then _DisplayInfo("UNICODE configured" & @CRLF) 173 | _DumpOutput("UNICODE configured" & @CRLF) 174 | $SkipUnicodeNames=0 175 | Else 176 | $EncodingWhenOpen = 2 177 | ; If Not $CommandlineMode Then _DisplayInfo("ANSI configured" & @CRLF) 178 | _DumpOutput("ANSI configured" & @CRLF) 179 | $SkipUnicodeNames=1 180 | EndIf 181 | 182 | $TimestampStart = @YEAR & "-" & @MON & "-" & @MDAY & "_" & @HOUR & "-" & @MIN & "-" & @SEC 183 | 184 | If Not FileExists($ParserOutDir) Then 185 | $ParserOutDir = @ScriptDir 186 | EndIf 187 | 188 | $DebugOutFile = $ParserOutDir & "\Indx_" & $TimestampStart & ".log" 189 | $hDebugOutFile = FileOpen($DebugOutFile, $EncodingWhenOpen) 190 | If @error Then 191 | ConsoleWrite("Error: Could not create log file" & @CRLF) 192 | MsgBox(0,"Error","Could not create log file") 193 | Exit 194 | EndIf 195 | 196 | ;$I30 197 | $IndxEntriesI30CsvFile = $ParserOutDir & "\Indx_I30_Entries_" & $TimestampStart & ".csv" 198 | $IndxEntriesI30Csv = FileOpen($IndxEntriesI30CsvFile, $EncodingWhenOpen) 199 | If @error Then 200 | ConsoleWrite("Error creating: " & $IndxEntriesI30CsvFile & @CRLF) 201 | If Not $CommandlineMode Then _DisplayInfo("Error creating: " & $IndxEntriesI30CsvFile & @CRLF) 202 | Return 203 | EndIf 204 | 205 | ;$ObjId:$O 206 | $IndxEntriesObjIdOCsvFile = $ParserOutDir & "\Indx_ObjIdO_Entries_" & $TimestampStart & ".csv" 207 | $IndxEntriesObjIdOCsv = FileOpen($IndxEntriesObjIdOCsvFile, $EncodingWhenOpen) 208 | If @error Then 209 | ConsoleWrite("Error creating: " & $IndxEntriesObjIdOCsvFile & @CRLF) 210 | If Not $CommandlineMode Then _DisplayInfo("Error creating: " & $IndxEntriesObjIdOCsvFile & @CRLF) 211 | Return 212 | EndIf 213 | 214 | ;$Reparse:$R 215 | $IndxEntriesReparseRCsvFile = $ParserOutDir & "\Indx_ReparseR_Entries_" & $TimestampStart & ".csv" 216 | $IndxEntriesObjIdOCsv = FileOpen($IndxEntriesReparseRCsvFile, $EncodingWhenOpen) 217 | If @error Then 218 | ConsoleWrite("Error creating: " & $IndxEntriesReparseRCsvFile & @CRLF) 219 | If Not $CommandlineMode Then _DisplayInfo("Error creating: " & $IndxEntriesReparseRCsvFile & @CRLF) 220 | Return 221 | EndIf 222 | 223 | _DumpOutput("Input file: " & $BinaryFragment & @CRLF) 224 | _DumpOutput("Output directory: " & $ParserOutDir & @CRLF) 225 | _DumpOutput("Csv: " & $IndxEntriesI30CsvFile & @CRLF) 226 | _DumpOutput("Csv: " & $IndxEntriesObjIdOCsvFile & @CRLF) 227 | _DumpOutput("Csv: " & $IndxEntriesReparseRCsvFile & @CRLF) 228 | _DumpOutput("StrictNameCheck: " & $StrictNameCheck & @CRLF) 229 | 230 | ;--------------------- 231 | 232 | If Not $CommandlineMode Then 233 | If Int(GUICtrlRead($checkl2t) + GUICtrlRead($checkbodyfile) + GUICtrlRead($checkdefaultall)) <> 9 Then 234 | _DisplayInfo("Error: Output format must be set to 1 of the 3 options." & @CRLF) 235 | Return 236 | EndIf 237 | $Dol2t = False 238 | $DoBodyfile = False 239 | $DoDefaultAll = False 240 | If GUICtrlRead($checkl2t) = 1 Then 241 | $Dol2t = True 242 | ElseIf GUICtrlRead($checkbodyfile) = 1 Then 243 | $DoBodyfile = True 244 | ElseIf GUICtrlRead($checkdefaultall) = 1 Then 245 | $DoDefaultAll = True 246 | EndIf 247 | EndIf 248 | 249 | If Not $CommandlineMode Then 250 | If ($DateTimeFormat = 4 Or $DateTimeFormat = 5) And ($Dol2t Or $DoBodyfile) Then 251 | _DisplayInfo("Error: Timestamp format can't be 4 or 5 in combination with OutputFormat log2timeline and bodyfile" & @CRLF) 252 | Return 253 | EndIf 254 | EndIf 255 | 256 | If Not $CommandlineMode Then 257 | $de = GUICtrlRead($SeparatorInput) 258 | Else 259 | $de = $SeparatorInput 260 | EndIf 261 | 262 | If Not $CommandlineMode Then 263 | $TimestampErrorVal = GUICtrlRead($TimestampErrorInput) 264 | Else 265 | $TimestampErrorVal = $TimestampErrorVal 266 | EndIf 267 | 268 | If Not $CommandlineMode Then 269 | $INDX_Size = GUICtrlRead($IndxSizeInput) 270 | EndIf 271 | If Mod($INDX_Size,512) Then 272 | If Not $CommandlineMode Then 273 | _DisplayInfo("Error: INDX size must be a multiple of 512" & @CRLF) 274 | _DumpOutput("Error: INDX size must be a multiple of 512" & @CRLF) 275 | Return 276 | Else 277 | _DumpOutput("Error: INDX size must be a multiple of 512" & @CRLF) 278 | Exit 279 | EndIf 280 | EndIf 281 | 282 | If Not $CommandlineMode Then 283 | $tDelta = _GetUTCRegion(GUICtrlRead($Combo2))-$tDelta 284 | If @error Then 285 | _DisplayInfo("Error: Timezone configuration failed." & @CRLF) 286 | Return 287 | EndIf 288 | $tDelta = $tDelta*-1 ;Since delta is substracted from timestamp later on 289 | EndIf 290 | 291 | If $CommandlineMode Then 292 | $DoParseSlack = $CheckSlack 293 | Else 294 | $DoParseSlack = GUICtrlRead($CheckSlack) 295 | EndIf 296 | If $DoParseSlack = 1 Then 297 | $DoParseSlack = 1 298 | Else 299 | $DoParseSlack = 0 300 | EndIf 301 | _DumpOutput("Scanning slack: " & $DoParseSlack & @CRLF) 302 | 303 | If $CommandlineMode Then 304 | $DoFixups = $CheckFixups 305 | Else 306 | $DoFixups = GUICtrlRead($CheckFixups) 307 | EndIf 308 | If $DoFixups = 1 Then 309 | $DoFixups = 1 310 | Else 311 | $DoFixups = 0 312 | EndIf 313 | _DumpOutput("Apply fixups: " & $DoFixups & @CRLF) 314 | 315 | If $CommandlineMode Then 316 | $PrecisionSeparator = $PrecisionSeparator 317 | $PrecisionSeparator2 = $PrecisionSeparator2 318 | Else 319 | $PrecisionSeparator = GUICtrlRead($PrecisionSeparatorInput) 320 | $PrecisionSeparator2 = GUICtrlRead($PrecisionSeparatorInput2) 321 | EndIf 322 | If StringLen($PrecisionSeparator) <> 1 Then 323 | If Not $CommandlineMode Then _DisplayInfo("Error: Precision separator not set properly" & @crlf) 324 | _DumpOutput("Error: Precision separator not set properly" & @crlf) 325 | Return 326 | EndIf 327 | 328 | If $CommandlineMode Then 329 | $WithQuotes = $checkquotes 330 | Else 331 | $WithQuotes = GUICtrlRead($checkquotes) 332 | EndIf 333 | 334 | If $WithQuotes = 1 Then 335 | $WithQuotes=1 336 | Else 337 | $WithQuotes=0 338 | EndIf 339 | 340 | If Not FileExists($BinaryFragment) Then 341 | If Not $CommandlineMode Then _DisplayInfo("Error: No INDX chunk chosen for input" & @CRLF) 342 | _DumpOutput("Error: No INDX chunk chosen for input" & @CRLF) 343 | Return 344 | EndIf 345 | 346 | If Not $CommandlineMode Then 347 | $ScanMode = GUICtrlRead($ComboScanMode) 348 | EndIf 349 | ;---------------------------------------- 350 | Select 351 | Case $DoDefaultAll 352 | _DumpOutput("OutputFormat: all" & @CRLF) 353 | $IndxI30SqlFile = $ParserOutDir & "\Indx_I30_Entries_"&$TimestampStart&".sql" 354 | $IndxObjectIdSqlFile = $OutputPath & "\Indx_ObjIdO_Entries_"&$TimestampStart&".sql" 355 | $IndxReparseRSqlFile = $OutputPath & "\Indx_ReparseR_Entries_"&$TimestampStart&".sql" 356 | Case $Dol2t 357 | _DumpOutput("OutputFormat: log2timeline" & @CRLF) 358 | $IndxI30SqlFile = $ParserOutDir & "\Indx_I30_Entries_l2t_"&$TimestampStart&".sql" 359 | $IndxObjectIdSqlFile = $OutputPath & "\Indx_ObjIdO_Entries_l2t_"&$TimestampStart&".sql" 360 | $IndxReparseRSqlFile = $OutputPath & "\Indx_ReparseR_Entries_l2t_"&$TimestampStart&".sql" 361 | Case $DoBodyfile 362 | _DumpOutput("OutputFormat: bodyfile" & @CRLF) 363 | $IndxI30SqlFile = $ParserOutDir & "\Indx_I30_Entries_bodyfile_"&$TimestampStart&".sql" 364 | $IndxObjectIdSqlFile = $OutputPath & "\Indx_ObjIdO_Entries_bodyfile_"&$TimestampStart&".sql" 365 | $IndxReparseRSqlFile = $OutputPath & "\Indx_ReparseR_Entries_bodyfile_"&$TimestampStart&".sql" 366 | EndSelect 367 | 368 | Select 369 | Case $DoDefaultAll 370 | FileInstall(".\import-sql\import-csv-INDX-I30.sql", $IndxI30SqlFile) 371 | FileInstall(".\import-sql\import-csv-INDX-objido.sql", $IndxObjectIdSqlFile) 372 | FileInstall(".\import-sql\import-csv-INDX-reparser.sql", $IndxReparseRSqlFile) 373 | Case $Dol2t 374 | FileInstall(".\import-sql\import-csv-l2t-INDX.sql", $IndxI30SqlFile) 375 | Case $DoBodyfile 376 | FileInstall(".\import-sql\import-csv-bodyfile-INDX.sql", $IndxI30SqlFile) 377 | EndSelect 378 | 379 | $FixedPath = StringReplace($IndxEntriesI30CsvFile, "\","\\") 380 | Sleep(500) 381 | _ReplaceStringInFile($IndxI30SqlFile, "__PathToCsv__", $FixedPath) 382 | If $TestUnicode = 1 Then _ReplaceStringInFile($IndxI30SqlFile, "latin1", "utf8") 383 | _ReplaceStringInFile($IndxI30SqlFile, "__Separator__", $de) 384 | 385 | $FixedPath = StringReplace($IndxEntriesObjIdOCsvFile,"\","\\") 386 | Sleep(500) 387 | _ReplaceStringInFile($IndxObjectIdSqlFile,"__PathToCsv__",$FixedPath) 388 | If $CheckUnicode = 1 Then _ReplaceStringInFile($IndxObjectIdSqlFile,"latin1", "utf8") 389 | _ReplaceStringInFile($IndxObjectIdSqlFile, "__Separator__", $de) 390 | 391 | $FixedPath = StringReplace($IndxEntriesReparseRCsvFile,"\","\\") 392 | Sleep(500) 393 | _ReplaceStringInFile($IndxReparseRSqlFile,"__PathToCsv__",$FixedPath) 394 | If $CheckUnicode = 1 Then _ReplaceStringInFile($IndxReparseRSqlFile,"latin1", "utf8") 395 | _ReplaceStringInFile($IndxReparseRSqlFile, "__Separator__", $de) 396 | 397 | _SetDateTimeFormats() 398 | 399 | Local $TSPrecisionFormatTransform = "" 400 | If $TimestampPrecision > 1 Then 401 | $TSPrecisionFormatTransform = $PrecisionSeparator & "%f" 402 | EndIf 403 | 404 | Local $TimestampFormatTransform 405 | If $DoDefaultAll Or $DoBodyfile Then 406 | ;INDX or bodyfile table 407 | 408 | 409 | Select 410 | Case $DateTimeFormat = 1 411 | $TimestampFormatTransform = "%Y%m%d%H%i%s" & $TSPrecisionFormatTransform 412 | Case $DateTimeFormat = 2 413 | $TimestampFormatTransform = "%m/%d/%Y %H:%i:%s" & $TSPrecisionFormatTransform 414 | Case $DateTimeFormat = 3 415 | $TimestampFormatTransform = "%d/%m/%Y %H:%i:%s" & $TSPrecisionFormatTransform 416 | Case $DateTimeFormat = 4 Or $DateTimeFormat = 5 417 | If $CommandlineMode Then 418 | ConsoleWrite("WARNING: Loading of sql into database with TSFormat 4 or 5 is not yet supported." & @CRLF) 419 | Else 420 | _DumpOutput("WARNING: Loading of sql into database with TSFormat 4 or 5 is not yet supported." & @CRLF) 421 | EndIf 422 | Case $DateTimeFormat = 6 423 | $TimestampFormatTransform = "%Y-%m-%d %H:%i:%s" & $TSPrecisionFormatTransform 424 | EndSelect 425 | _ReplaceStringInFile($IndxI30SqlFile, "__TimestampTransformationSyntax__", $TimestampFormatTransform) 426 | _ReplaceStringInFile($IndxObjectIdSqlFile, "__TimestampTransformationSyntax__", $TimestampFormatTransform) 427 | _ReplaceStringInFile($IndxReparseRSqlFile, "__TimestampTransformationSyntax__", $TimestampFormatTransform) 428 | EndIf 429 | 430 | Local $DateFormatTransform, $TimeFormatTransform 431 | If $Dol2t Then 432 | ;log2timeline table 433 | Select 434 | Case $DateTimeFormat = 1 435 | $DateFormatTransform = "%Y%m%d" 436 | $TimeFormatTransform = "%H%i%s" 437 | Case $DateTimeFormat = 2 438 | $DateFormatTransform = "%m/%d/%Y" 439 | $TimeFormatTransform = "%H:%i:%s" 440 | Case $DateTimeFormat = 3 441 | $DateFormatTransform = "%d/%m/%Y" 442 | $TimeFormatTransform = "%H:%i:%s" 443 | Case $DateTimeFormat = 4 Or $DateTimeFormat = 5 444 | If $CommandlineMode Then 445 | ConsoleWrite("WARNING: Loading of sql into database with TSFormat 4 or 5 is not yet supported." & @CRLF) 446 | Else 447 | _DumpOutput("WARNING: Loading of sql into database with TSFormat 4 or 5 is not yet supported." & @CRLF) 448 | EndIf 449 | Case $DateTimeFormat = 6 450 | $DateFormatTransform = "%Y-%m-%d" 451 | $TimeFormatTransform = "%H:%i:%s" 452 | EndSelect 453 | _ReplaceStringInFile($IndxI30SqlFile, "__DateTransformationSyntax__", $DateFormatTransform) 454 | _ReplaceStringInFile($IndxI30SqlFile, "__TimeTransformationSyntax__", $TimeFormatTransform) 455 | _ReplaceStringInFile($IndxObjectIdSqlFile, "__DateTransformationSyntax__", $DateFormatTransform) 456 | _ReplaceStringInFile($IndxObjectIdSqlFile, "__TimeTransformationSyntax__", $TimeFormatTransform) 457 | _ReplaceStringInFile($IndxReparseRSqlFile, "__DateTransformationSyntax__", $DateFormatTransform) 458 | _ReplaceStringInFile($IndxReparseRSqlFile, "__TimeTransformationSyntax__", $TimeFormatTransform) 459 | EndIf 460 | ;-------------------------- 461 | #cs 462 | $IndxI30SqlFile = $ParserOutDir & "\Indx_I30_Entries_" & $TimestampStart & ".sql" 463 | FileInstall(".\import-sql\import-csv-INDX-I30.sql", $IndxI30SqlFile) 464 | $FixedPath = StringReplace($IndxEntriesI30CsvFile,"\","\\") 465 | Sleep(500) 466 | _ReplaceStringInFile($IndxI30SqlFile,"__PathToCsv__",$FixedPath) 467 | If $TestUnicode = 1 Then _ReplaceStringInFile($IndxI30SqlFile,"latin1", "utf8") 468 | 469 | $IndxObjectIdSqlFile = $OutputPath & "\Indx_ObjIdO_Entries_"&$TimestampStart&".sql" 470 | FileInstall(".\import-sql\import-csv-INDX-objido.sql", $IndxObjectIdSqlFile) 471 | $FixedPath = StringReplace($IndxEntriesObjIdOCsvFile,"\","\\") 472 | Sleep(500) 473 | _ReplaceStringInFile($IndxObjectIdSqlFile,"__PathToCsv__",$FixedPath) 474 | If $CheckUnicode = 1 Then _ReplaceStringInFile($IndxObjectIdSqlFile,"latin1", "utf8") 475 | 476 | $IndxReparseRSqlFile = $OutputPath & "\Indx_ReparseR_Entries_"&$TimestampStart&".sql" 477 | FileInstall(".\import-sql\import-csv-INDX-reparser.sql", $IndxReparseRSqlFile) 478 | $FixedPath = StringReplace($IndxEntriesReparseRCsvFile,"\","\\") 479 | Sleep(500) 480 | _ReplaceStringInFile($IndxReparseRSqlFile,"__PathToCsv__",$FixedPath) 481 | If $CheckUnicode = 1 Then _ReplaceStringInFile($IndxReparseRSqlFile,"latin1", "utf8") 482 | #ce 483 | _DumpOutput("Scan mode: " & $ScanMode & @CRLF) 484 | ;---------------------------- 485 | 486 | _WriteCSVHeaderIndxEntries() 487 | _WriteIndxObjIdOModuleCsvHeader() 488 | _WriteIndxReparseRModuleCsvHeader() 489 | 490 | $InputFileSize = _WinAPI_GetFileSizeEx($hFile) 491 | $MaxRecords = Ceiling($InputFileSize/$INDX_Size) 492 | If $ScanMode=0 And Mod($InputFileSize,$INDX_Size) Then 493 | ConsoleWrite("Error: File size not a multiple of INDX size. Last page must have special buffer created." & @CRLF) 494 | EndIf 495 | 496 | $Progress = GUICtrlCreateLabel("Decoding INDX data and writing to csv", 10, 280,540,20) 497 | GUICtrlSetFont($Progress, 12) 498 | $ProgressStatus = GUICtrlCreateLabel("", 10, 275, 520, 20) 499 | $ElapsedTime = GUICtrlCreateLabel("", 10, 290, 520, 20) 500 | $ProgressIndx = GUICtrlCreateProgress(0, 315, 540, 30) 501 | $begin = TimerInit() 502 | 503 | AdlibRegister("_IndxProgress", 500) 504 | ConsoleWrite("Parsing input.." & @CRLF) 505 | 506 | Select 507 | Case $ScanMode = 0 508 | $tBuffer = DllStructCreate("byte["&$INDX_Size&"]") 509 | For $i = 0 To $MaxRecords-1 510 | $CurrentRecord = $i 511 | _WinAPI_SetFilePointerEx($hFile, $i*$INDX_Size, $FILE_BEGIN) 512 | _WinAPI_ReadFile($hFile, DllStructGetPtr($tBuffer), $INDX_Size, $nBytes) 513 | $IndxRecord = DllStructGetData($tBuffer, 1) 514 | $CurrentFileOffset = DllCall('kernel32.dll', 'int', 'SetFilePointerEx', 'ptr', $hFile, 'int64', 0, 'int64*', 0, 'dword', 1) 515 | $CurrentFileOffset = $CurrentFileOffset[3]-$INDX_Size 516 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset)) 517 | $EntryCounter += _ParseIndx($IndxRecord) 518 | _ClearVar() 519 | Next 520 | Case $ScanMode > 0 521 | $ChunkSize = $SectorSize*100 522 | $tBuffer = DllStructCreate("byte[" & ($ChunkSize)+$SectorSize & "]") 523 | $MaxPages = Ceiling($InputFileSize/($ChunkSize)) 524 | For $i = 0 To $MaxPages-1 525 | ; ConsoleWrite("$i: " & $i & @CRLF) 526 | ;$CurrentPage=$i 527 | _WinAPI_SetFilePointerEx($hFile, $i*($ChunkSize), $FILE_BEGIN) 528 | If $i = $MaxPages-1 Then $tBuffer = DllStructCreate("byte[" & ($ChunkSize)+$SectorSize & "]") 529 | _WinAPI_ReadFile($hFile, DllStructGetPtr($tBuffer), ($ChunkSize)+$SectorSize, $nBytes) 530 | $RawPage = DllStructGetData($tBuffer, 1) 531 | $CurrentFileOffset = DllCall('kernel32.dll', 'int', 'SetFilePointerEx', 'ptr', $hFile, 'int64', 0, 'int64*', 0, 'dword', 1) 532 | $CurrentFileOffset = $CurrentFileOffset[3]-$ChunkSize 533 | ;$RecordOffset = "0x" & Hex(Int($CurrentFileOffset)) 534 | $EntryCounter += _ScanModeI30ProcessPage(StringMid($RawPage,3),$i*($ChunkSize),0,$ChunkSize) 535 | If Not Mod($i,1000) Then 536 | FileFlush($IndxEntriesI30CsvFile) 537 | EndIf 538 | Next 539 | EndSelect 540 | 541 | AdlibUnRegister("_IndxProgress") 542 | $MaxRecords = $CurrentRecord+1 543 | _IndxProgress() 544 | ProgressOff() 545 | 546 | If $EntryCounter < 1 Then 547 | _DumpOutput("Error: No valid $I30 entries could be decoded." & @CRLF) 548 | If $CleanUp Then 549 | FileFlush($hDebugOutFile) 550 | FileClose($hDebugOutFile) 551 | FileDelete($IndxEntriesI30CsvFile) 552 | FileDelete($IndxEntriesObjIdOCsvFile) 553 | FileDelete($IndxI30SqlFile) 554 | FileDelete($IndxObjectIdSqlFile) 555 | FileDelete($DebugOutFile) 556 | Else 557 | FileMove($IndxEntriesI30CsvFile,$IndxEntriesI30CsvFile&".empty",1) 558 | _DumpOutput("Empty output: " & $IndxEntriesI30CsvFile & " is postfixed with .empty" & @CRLF) 559 | FileMove($IndxEntriesObjIdOCsvFile,$IndxEntriesObjIdOCsvFile&".empty",1) 560 | _DumpOutput("Empty output: " & $IndxEntriesObjIdOCsvFile & " is postfixed with .empty" & @CRLF) 561 | FileMove($IndxEntriesReparseRCsvFile,$IndxEntriesReparseRCsvFile&".empty",1) 562 | _DumpOutput("Empty output: " & $IndxEntriesReparseRCsvFile & " is postfixed with .empty" & @CRLF) 563 | ; If (_FileCountLines($IndxEntriesObjIdOCsvFile) < 2) Then 564 | ; FileMove($IndxEntriesObjIdOCsvFile,$IndxEntriesObjIdOCsvFile&".empty",1) 565 | ; _DumpOutput("Empty output: " & $IndxEntriesObjIdOCsvFile & " is postfixed with .empty") 566 | ; EndIf 567 | EndIf 568 | If Not $CommandlineMode Then 569 | _DisplayInfo("Error: No valid $I30 or $O entries could be decoded." & @CRLF) 570 | Return 571 | Else 572 | Exit(1) 573 | EndIf 574 | EndIf 575 | 576 | If Not $CommandlineMode Then _DisplayInfo("Entries found and decoded: " & $EntryCounter & @CRLF) 577 | _DumpOutput("Pages processed: " & $MaxRecords & @CRLF) 578 | _DumpOutput("Entries found and decoded: " & $EntryCounter & @CRLF) 579 | If Not $CommandlineMode Then _DisplayInfo("Parsing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 580 | _DumpOutput("Parsing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 581 | _WinAPI_CloseHandle($hFile) 582 | FileFlush($hDebugOutFile) 583 | FileClose($hDebugOutFile) 584 | FileFlush($IndxEntriesI30Csv) 585 | FileClose($IndxEntriesI30Csv) 586 | FileFlush($IndxEntriesObjIdOCsv) 587 | FileClose($IndxEntriesObjIdOCsv) 588 | FileFlush($IndxEntriesReparseRCsv) 589 | FileClose($IndxEntriesReparseRCsv) 590 | 591 | If $CleanUp Then 592 | FileDelete($IndxEntriesI30CsvFile) 593 | FileDelete($IndxEntriesObjIdOCsvFile) 594 | FileDelete($IndxI30SqlFile) 595 | FileDelete($IndxObjectIdSqlFile) 596 | FileDelete($DebugOutFile) 597 | Else 598 | If (_FileCountLines($IndxEntriesI30CsvFile) < 2) Then 599 | FileMove($IndxEntriesI30CsvFile,$IndxEntriesI30CsvFile&".empty",1) 600 | _DumpOutput("Empty output: " & $IndxEntriesI30CsvFile & " is postfixed with .empty") 601 | EndIf 602 | If (_FileCountLines($IndxEntriesObjIdOCsvFile) < 2) Then 603 | FileMove($IndxEntriesObjIdOCsvFile,$IndxEntriesObjIdOCsvFile&".empty",1) 604 | _DumpOutput("Empty output: " & $IndxEntriesObjIdOCsvFile & " is postfixed with .empty") 605 | EndIf 606 | If (_FileCountLines($IndxEntriesReparseRCsvFile) < 2) Then 607 | FileMove($IndxEntriesReparseRCsvFile,$IndxEntriesReparseRCsvFile&".empty",1) 608 | _DumpOutput("Empty output: " & $IndxEntriesReparseRCsvFile & " is postfixed with .empty") 609 | EndIf 610 | EndIf 611 | 612 | $ParserOutDir = "" 613 | $EntryCounter = 0 614 | EndFunc 615 | 616 | Func _ScanModeI30ProcessPage($TargetPage,$OffsetFile,$OffsetChunk,$EndOffset) 617 | Local $LocalEntryCounter = 0, $NextOffset = 1, $TotalSizeOfPage = StringLen($TargetPage) 618 | Do 619 | ; _DumpOutput("$NextOffset: " & $NextOffset & @CRLF) 620 | ; _DumpOutput("$NextOffset: 0x" & Hex(Int($OffsetFile + ($OffsetChunk + $NextOffset)/2)) & @CRLF) 621 | $SizeOfNextEntry = StringMid($TargetPage,$NextOffset+16,4) 622 | $SizeOfNextEntry = Dec(_SwapEndian($SizeOfNextEntry),2) 623 | $SizeOfNextEntry = $SizeOfNextEntry*2 624 | $SizeOfNextEntryTmp = $SizeOfNextEntry 625 | If $SizeOfNextEntryTmp < 512 Then 626 | ;Pretend the entry is large enough to accomodate for possible longer filename 627 | $SizeOfNextEntryTmp = 512 628 | EndIf 629 | $NextEntry = StringMid($TargetPage,$NextOffset,$SizeOfNextEntryTmp) 630 | If _ScanModeI30DecodeEntry($NextEntry) Then 631 | $OffsetRecord = "0x" & Hex(Int($OffsetFile + ($OffsetChunk + $NextOffset)/2)) 632 | If _NormalModeI30DecodeEntry($NextEntry, $OffsetRecord) Then 633 | $LocalEntryCounter += 1 634 | EndIf 635 | If $SizeOfNextEntryTmp > $SizeOfNextEntry Then 636 | $NextOffset+=2 637 | Else 638 | $NextOffset+=$SizeOfNextEntry 639 | EndIf 640 | Else 641 | If Not StringRegExp(StringMid($TargetPage,$NextOffset),$RegExPatternHexNotNull) Then 642 | _DumpOutput("The data on the rest of this page is just 00. Nothing to do here from offset 0x" & Hex(Int($OffsetFile + ($OffsetChunk + $NextOffset)/2)) & @CRLF) 643 | Return $LocalEntryCounter 644 | EndIf 645 | $NextOffset+=2 646 | EndIf 647 | 648 | Until $NextOffset > $TotalSizeOfPage Or $NextOffset/2 > $EndOffset 649 | Return $LocalEntryCounter 650 | EndFunc 651 | 652 | Func _ScanModeI30DecodeEntry($Record) 653 | 654 | $MFTReference = StringMid($Record,1,12) 655 | If $MFTReference = "FFFFFFFFFFFF" Then Return SetError(1,0,0) 656 | $MFTReference = Dec(_SwapEndian($MFTReference),2) 657 | If Not $VerifyFragment And $ScanMode < 1 Then 658 | If $MFTReference = 0 Then Return SetError(1,0,0) 659 | EndIf 660 | $MFTReferenceSeqNo = StringMid($Record,13,4) 661 | $MFTReferenceSeqNo = Dec(_SwapEndian($MFTReferenceSeqNo),2) 662 | If Not $VerifyFragment And $ScanMode < 1 Then 663 | If $MFTReferenceSeqNo = 0 Then Return SetError(2,0,0) 664 | EndIf 665 | $IndexEntryLength = StringMid($Record,17,4) 666 | $IndexEntryLength = Dec(_SwapEndian($IndexEntryLength),2) 667 | If Not $VerifyFragment And $ScanMode < 2 Then 668 | If ($IndexEntryLength = 0) Or ($IndexEntryLength = 0xFFFF) Then Return SetError(3,0,0) 669 | EndIf 670 | ;$OffsetToFileName = StringMid($Record,21,4) 671 | ;$OffsetToFileName = Dec(_SwapEndian($OffsetToFileName),2) 672 | ;If $OffsetToFileName <> 82 Then Return SetError(4,0,0) 673 | $IndexFlags = StringMid($Record,25,4) 674 | $IndexFlags = Dec(_SwapEndian($IndexFlags),2) 675 | If Not $VerifyFragment And $ScanMode < 3 Then 676 | If $IndexFlags > 2 Then Return SetError(5,0,0) 677 | EndIf 678 | 679 | $Padding = StringMid($Record,29,4) 680 | If Not $VerifyFragment And $ScanMode < 4 Then 681 | If $Padding <> "0000" Then Return SetError(6,0,0) 682 | EndIf 683 | $MFTReferenceOfParent = StringMid($Record,33,12) 684 | $MFTReferenceOfParent = Dec(_SwapEndian($MFTReferenceOfParent),2) 685 | If Not $VerifyFragment And $ScanMode < 5 Then 686 | If $MFTReferenceOfParent < 5 Then Return SetError(7,0,0) 687 | EndIf 688 | $MFTReferenceOfParentSeqNo = StringMid($Record,45,4) 689 | $MFTReferenceOfParentSeqNo = Dec(_SwapEndian($MFTReferenceOfParentSeqNo),2) 690 | If Not $VerifyFragment And $ScanMode < 5 Then 691 | If $MFTReferenceOfParentSeqNo = 0 Then Return SetError(8,0,0) 692 | EndIf 693 | $CTime_Timestamp = StringMid($Record,49,16) 694 | If $ExtendedTimestampCheck Then 695 | $CTime_TimestampTmp = Dec(_SwapEndian($CTime_Timestamp),2) 696 | If $CTime_TimestampTmp < $TSCheckLow Or $CTime_TimestampTmp > $TSCheckHigh Then Return SetError(9,0,0) ;14 oktober 1957 - 31 mai 2043 697 | EndIf 698 | $CTime_Timestamp = _DecodeTimestamp($CTime_Timestamp) 699 | If $CTime_Timestamp = $TimestampErrorVal Then Return SetError(10,0,0) 700 | $ATime_Timestamp = StringMid($Record,65,16) 701 | If $ExtendedTimestampCheck Then 702 | $ATime_TimestampTmp = Dec(_SwapEndian($ATime_Timestamp),2) 703 | If $ATime_TimestampTmp < $TSCheckLow Or $ATime_TimestampTmp > $TSCheckHigh Then Return SetError(11,0,0) ;14 oktober 1957 - 31 mai 2043 704 | EndIf 705 | $ATime_Timestamp = _DecodeTimestamp($ATime_Timestamp) 706 | If $ATime_Timestamp = $TimestampErrorVal Then Return SetError(12,0,0) 707 | $MTime_Timestamp = StringMid($Record,81,16) 708 | If $ExtendedTimestampCheck Then 709 | ;$MTime_TimestampTmp = Dec(_SwapEndian($MTime_Timestamp),2) 710 | ;If $MTime_TimestampTmp < $TSCheckLow Or $MTime_TimestampTmp > $TSCheckHigh Then Return SetError(13,0,0) ;14 oktober 1957 - 31 mai 2043 711 | EndIf 712 | $MTime_Timestamp = _DecodeTimestamp($MTime_Timestamp) 713 | ;----------------------- 714 | ;If $MTime_Timestamp = $TimestampErrorVal Then Return SetError(14,0,0) 715 | ;-------------------------- 716 | $RTime_Timestamp = StringMid($Record,97,16) 717 | If $ExtendedTimestampCheck Then 718 | $RTime_TimestampTmp = Dec(_SwapEndian($RTime_Timestamp),2) 719 | If $RTime_TimestampTmp < $TSCheckLow Or $RTime_TimestampTmp > $TSCheckHigh Then Return SetError(15,0,0) ;14 oktober 1957 - 31 mai 2043 720 | EndIf 721 | $RTime_Timestamp = _DecodeTimestamp($RTime_Timestamp) 722 | If $RTime_Timestamp = $TimestampErrorVal Then Return SetError(16,0,0) 723 | $Indx_AllocSize = StringMid($Record,113,16) 724 | $Indx_AllocSize = Dec(_SwapEndian($Indx_AllocSize),2) 725 | If $Indx_AllocSize > 281474976710655 Then ;0xFFFFFFFFFFFF 726 | Return SetError(17,0,0) 727 | EndIf 728 | If $Indx_AllocSize > 0 And Mod($Indx_AllocSize,8) Then 729 | Return SetError(17,0,0) 730 | EndIf 731 | $Indx_RealSize = StringMid($Record,129,16) 732 | $Indx_RealSize = Dec(_SwapEndian($Indx_RealSize),2) 733 | If $Indx_RealSize > 281474976710655 Then ;0xFFFFFFFFFFFF 734 | Return SetError(18,0,0) 735 | EndIf 736 | If $Indx_RealSize > $Indx_AllocSize Then Return SetError(18,0,0) 737 | 738 | $Indx_File_Flags = StringMid($Record,145,8) 739 | $Indx_File_Flags = _SwapEndian($Indx_File_Flags) 740 | 741 | If BitAND("0x" & $Indx_File_Flags, 0x40000) Then 742 | $DoReparseTag=0 743 | $DoEaSize=1 744 | Else 745 | $DoReparseTag=1 746 | $DoEaSize=0 747 | EndIf 748 | $Indx_File_Flags = _File_Attributes("0x" & $Indx_File_Flags) 749 | 750 | Select 751 | Case $DoReparseTag 752 | $Indx_EaSize = "" 753 | $Indx_ReparseTag = StringMid($Record,153,8) 754 | $Indx_ReparseTag = _SwapEndian($Indx_ReparseTag) 755 | $Indx_ReparseTag = _GetReparseType("0x"&$Indx_ReparseTag) 756 | If StringInStr($Indx_ReparseTag,"UNKNOWN") Then Return SetError(19,0,0) 757 | Case $DoEaSize 758 | $Indx_ReparseTag = "" 759 | $Indx_EaSize = StringMid($Record,153,8) 760 | $Indx_EaSize = Dec(_SwapEndian($Indx_EaSize),2) 761 | If $Indx_EaSize < 8 Then Return SetError(19,0,0) 762 | EndSelect 763 | 764 | $Indx_NameLength = StringMid($Record,161,2) 765 | $Indx_NameLength = Dec($Indx_NameLength) 766 | If $Indx_NameLength = 0 Then Return SetError(20,0,0) 767 | $Indx_NameSpace = StringMid($Record,163,2) 768 | Select 769 | Case $Indx_NameSpace = "00" ;POSIX 770 | $Indx_NameSpace = "POSIX" 771 | Case $Indx_NameSpace = "01" ;WIN32 772 | $Indx_NameSpace = "WIN32" 773 | Case $Indx_NameSpace = "02" ;DOS 774 | $Indx_NameSpace = "DOS" 775 | Case $Indx_NameSpace = "03" ;DOS+WIN32 776 | $Indx_NameSpace = "DOS+WIN32" 777 | Case Else 778 | $Indx_NameSpace = "Unknown" 779 | EndSelect 780 | If $Indx_NameSpace = "Unknown" Then Return SetError(21,0,0) 781 | $Indx_FileName = StringMid($Record,165,$Indx_NameLength*4) 782 | $NameTest = 1 783 | Select 784 | Case $ExtendedNameCheckAll 785 | ; _DumpOutput("$ExtendedNameCheckAll: " & $ExtendedNameCheckAll & @CRLF) 786 | $NameTest = _ValidateCharacterAndWindowsFileName($Indx_FileName) 787 | Case $ExtendedNameCheckChar 788 | ; _DumpOutput("$ExtendedNameCheckChar: " & $ExtendedNameCheckChar & @CRLF) 789 | $NameTest = _ValidateCharacter($Indx_FileName) 790 | Case $ExtendedNameCheckWindows 791 | ; _DumpOutput("$ExtendedNameCheckWindows: " & $ExtendedNameCheckWindows & @CRLF) 792 | $NameTest = _ValidateWindowsFileName($Indx_FileName) 793 | EndSelect 794 | If Not $NameTest Then Return SetError(22,0,0) 795 | $Indx_FileName = BinaryToString("0x"&$Indx_FileName,2) 796 | 797 | If @error Or $Indx_FileName = "" Then Return SetError(23,0,0) 798 | Return 1 799 | EndFunc 800 | 801 | Func _DecodeTimestamp($StampDecode) 802 | $StampDecode = _SwapEndian($StampDecode) 803 | $StampDecode_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $StampDecode) 804 | $StampDecode = _WinTime_UTCFileTimeFormat(Dec($StampDecode,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 805 | If @error Then 806 | $StampDecode = $TimestampErrorVal 807 | ElseIf $TimestampPrecision = 3 Then 808 | $StampDecode = $StampDecode & $PrecisionSeparator2 & _FillZero(StringRight($StampDecode_tmp, 4)) 809 | EndIf 810 | Return $StampDecode 811 | EndFunc 812 | 813 | Func _NormalModeI30DecodeEntry($InputData, $OffsetRecord) 814 | $LocalOffset=1 815 | $TextInformation="" 816 | ;$RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($LocalOffset-1)/2))) 817 | $RecordOffset = $OffsetRecord 818 | $MFTReference = StringMid($InputData,$LocalOffset,12) 819 | If $MFTReference = "FFFFFFFFFFFF" Then 820 | If $ScanMode < 1 Then Return SetError(1,0,0) 821 | $TextInformation &= ";MftRef" 822 | EndIf 823 | $MFTReference = Dec(_SwapEndian($MFTReference),2) 824 | If $MFTReference = 0 Then 825 | If $ScanMode < 1 Then Return SetError(1,0,0) 826 | $TextInformation &= ";MftRef" 827 | EndIf 828 | $MFTReferenceSeqNo = StringMid($InputData,$LocalOffset+12,4) 829 | $MFTReferenceSeqNo = Dec(_SwapEndian($MFTReferenceSeqNo),2) 830 | If $MFTReferenceSeqNo = 0 Then 831 | If $ScanMode < 1 Then Return SetError(2,0,0) 832 | If $TextInformation = "" Then $TextInformation &= ";MftRef" 833 | $TextInformation &= ";MftRefSeqNo" 834 | EndIf 835 | If $TextInformation = ";MftRef" Then $TextInformation &= ";MftRefSeqNo" 836 | $IndexEntryLength = StringMid($InputData,$LocalOffset+16,4) 837 | $IndexEntryLength = Dec(_SwapEndian($IndexEntryLength),2) 838 | If ($IndexEntryLength = 0) Or ($IndexEntryLength = 0xFFFF) Then 839 | If $ScanMode < 2 Then Return SetError(3,0,0) 840 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo" 841 | $TextInformation &= ";IndexEntryLength" 842 | EndIf 843 | $OffsetToFileName = StringMid($InputData,$LocalOffset+20,4) 844 | $OffsetToFileName = Dec(_SwapEndian($OffsetToFileName),2) 845 | If ($OffsetToFileName = 0) Or ($OffsetToFileName = 0xFFFF) Then 846 | If $ScanMode < 2 Then Return SetError(4,0,0) 847 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength" 848 | $TextInformation &= ";OffsetToFileName" 849 | EndIf 850 | 851 | $IndexFlags = StringMid($InputData,$LocalOffset+24,4) 852 | $IndexFlags = Dec(_SwapEndian($IndexFlags),2) 853 | If $IndexFlags > 2 Then 854 | If $ScanMode < 3 Then Return SetError(5,0,0) 855 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName" 856 | $TextInformation &= ";IndexFlags" 857 | EndIf 858 | 859 | $Padding = StringMid($InputData,$LocalOffset+28,4) 860 | If $Padding <> "0000" Then 861 | If $ScanMode < 4 Then Return SetError(6,0,0) 862 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags" 863 | $TextInformation &= ";Padding" 864 | EndIf 865 | $MFTReferenceOfParent = StringMid($InputData,$LocalOffset+32,12) 866 | $MFTReferenceOfParent = Dec(_SwapEndian($MFTReferenceOfParent),2) 867 | If $MFTReferenceOfParent < 5 Then 868 | If $ScanMode < 5 Then Return SetError(7,0,0) 869 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding" 870 | $TextInformation &= ";MFTReferenceOfParent" 871 | EndIf 872 | $MFTReferenceOfParentSeqNo = StringMid($InputData,$LocalOffset+44,4) 873 | $MFTReferenceOfParentSeqNo = Dec(_SwapEndian($MFTReferenceOfParentSeqNo),2) 874 | If $MFTReferenceOfParentSeqNo = 0 Then 875 | If $ScanMode < 5 Then Return SetError(8,0,0) 876 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding" 877 | $TextInformation &= ";MFTReferenceOfParentSeqNo" 878 | EndIf 879 | ;CTime 880 | $Indx_CTime = StringMid($InputData, $LocalOffset + 48, 16) 881 | $Indx_CTime = _SwapEndian($Indx_CTime) 882 | If $ExtendedTimestampCheck Then 883 | $CTime_TimestampTmp = Dec($Indx_CTime,2) 884 | If $CTime_TimestampTmp < $TSCheckLow Or $CTime_TimestampTmp > $TSCheckHigh Then ;14 oktober 1957 - 31 mai 2043 885 | If $ScanMode < 6 Then Return SetError(9,0,0) 886 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding;MFTReferenceOfParent;MFTReferenceOfParentSeqNo" 887 | $TextInformation &= ";CTime" 888 | EndIf 889 | EndIf 890 | $Indx_CTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_CTime) 891 | $Indx_CTime = _WinTime_UTCFileTimeFormat(Dec($Indx_CTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 892 | If @error Then 893 | $Indx_CTime = $TimestampErrorVal 894 | ElseIf $TimestampPrecision = 2 Then 895 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-4) 896 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,3) 897 | ElseIf $TimestampPrecision = 3 Then 898 | $Indx_CTime = $Indx_CTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_CTime_tmp, 4)) 899 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-9) 900 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,8) 901 | Else 902 | ;$Indx_CTime_Core = $Indx_CTime 903 | EndIf 904 | If $Indx_CTime = $TimestampErrorVal Then 905 | If $ScanMode < 6 Then Return SetError(10,0,0) 906 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding;MFTReferenceOfParent;MFTReferenceOfParentSeqNo" 907 | $TextInformation &= ";CTime" 908 | EndIf 909 | ;ATime 910 | $Indx_ATime = StringMid($InputData, $LocalOffset + 64, 16) 911 | $Indx_ATime = _SwapEndian($Indx_ATime) 912 | If $ExtendedTimestampCheck Then 913 | $ATime_TimestampTmp = Dec($Indx_ATime,2) 914 | If $ATime_TimestampTmp < $TSCheckLow Or $ATime_TimestampTmp > $TSCheckHigh Then ;14 oktober 1957 - 31 mai 2043 915 | If $ScanMode < 7 Then Return SetError(11,0,0) 916 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding;MFTReferenceOfParent;MFTReferenceOfParentSeqNo;CTime" 917 | $TextInformation &= ";ATime" 918 | EndIf 919 | EndIf 920 | $Indx_ATime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_ATime) 921 | $Indx_ATime = _WinTime_UTCFileTimeFormat(Dec($Indx_ATime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 922 | If @error Then 923 | $Indx_ATime = $TimestampErrorVal 924 | ElseIf $TimestampPrecision = 2 Then 925 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-4) 926 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,3) 927 | ElseIf $TimestampPrecision = 3 Then 928 | $Indx_ATime = $Indx_ATime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_ATime_tmp, 4)) 929 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-9) 930 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,8) 931 | Else 932 | ;$Indx_ATime_Core = $Indx_ATime 933 | EndIf 934 | If $Indx_ATime = $TimestampErrorVal Then 935 | If $ScanMode < 7 Then Return SetError(12,0,0) 936 | If $TextInformation = "" Then $TextInformation &= ";MftRef;MftRefSeqNo;IndexEntryLength;OffsetToFileName;IndexFlags;Padding;MFTReferenceOfParent;MFTReferenceOfParentSeqNo;CTime" 937 | $TextInformation &= ";ATime" 938 | EndIf 939 | ;MTime 940 | $Indx_MTime = StringMid($InputData, $LocalOffset + 80, 16) 941 | $Indx_MTime = _SwapEndian($Indx_MTime) 942 | If $ExtendedTimestampCheck Then 943 | $MTime_TimestampTmp = Dec($Indx_MTime,2) 944 | If $MTime_TimestampTmp < $TSCheckLow Or $MTime_TimestampTmp > $TSCheckHigh Then ;14 oktober 1957 - 31 mai 2043 945 | If $ScanMode < 8 Then Return SetError(13,0,0) 946 | $TextInformation &= ";MTime" 947 | EndIf 948 | EndIf 949 | $Indx_MTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_MTime) 950 | $Indx_MTime = _WinTime_UTCFileTimeFormat(Dec($Indx_MTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 951 | If @error Then 952 | $Indx_MTime = $TimestampErrorVal 953 | ElseIf $TimestampPrecision = 2 Then 954 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-4) 955 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,3) 956 | ElseIf $TimestampPrecision = 3 Then 957 | $Indx_MTime = $Indx_MTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_MTime_tmp, 4)) 958 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-9) 959 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,8) 960 | Else 961 | ;$Indx_MTime_Core = $Indx_MTime 962 | EndIf 963 | If $Indx_MTime = $TimestampErrorVal Then 964 | If $ScanMode < 8 Then Return SetError(14,0,0) 965 | $TextInformation &= ";MTime" 966 | EndIf 967 | ;RTime 968 | $Indx_RTime = StringMid($InputData, $LocalOffset + 96, 16) 969 | $Indx_RTime = _SwapEndian($Indx_RTime) 970 | If $ExtendedTimestampCheck Then 971 | $RTime_TimestampTmp = Dec($Indx_RTime,2) 972 | If $RTime_TimestampTmp < $TSCheckLow Or $RTime_TimestampTmp > $TSCheckHigh Then ;14 oktober 1957 - 31 mai 2043 973 | If $ScanMode < 9 Then Return SetError(15,0,0) 974 | $TextInformation &= ";RTime" 975 | EndIf 976 | EndIf 977 | $Indx_RTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_RTime) 978 | $Indx_RTime = _WinTime_UTCFileTimeFormat(Dec($Indx_RTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 979 | If @error Then 980 | $Indx_RTime = $TimestampErrorVal 981 | ElseIf $TimestampPrecision = 2 Then 982 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-4) 983 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,3) 984 | ElseIf $TimestampPrecision = 3 Then 985 | $Indx_RTime = $Indx_RTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_RTime_tmp, 4)) 986 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-9) 987 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,8) 988 | Else 989 | ;$Indx_RTime_Core = $Indx_RTime 990 | EndIf 991 | If $Indx_RTime = $TimestampErrorVal Then 992 | If $ScanMode < 9 Then Return SetError(16,0,0) 993 | $TextInformation &= ";RTime" 994 | EndIf 995 | ; 996 | $Indx_AllocSize = StringMid($InputData,$LocalOffset+112,16) 997 | $Indx_AllocSize = Dec(_SwapEndian($Indx_AllocSize),2) 998 | If $Indx_AllocSize > 281474976710655 Then ;0xFFFFFFFFFFFF 999 | If $ScanMode < 10 Then Return SetError(17,0,0) 1000 | $TextInformation &= ";AllocSize" 1001 | EndIf 1002 | If $Indx_AllocSize > 0 And Mod($Indx_AllocSize,8) Then 1003 | If $ScanMode < 10 Then Return SetError(17,0,0) 1004 | $TextInformation &= ";AllocSize" 1005 | EndIf 1006 | $Indx_RealSize = StringMid($InputData,$LocalOffset+128,16) 1007 | $Indx_RealSize = Dec(_SwapEndian($Indx_RealSize),2) 1008 | If $Indx_RealSize > 281474976710655 Then ;0xFFFFFFFFFFFF 1009 | If $ScanMode < 11 Then Return SetError(18,0,0) 1010 | $TextInformation &= ";RealSize" 1011 | EndIf 1012 | If $Indx_RealSize > $Indx_AllocSize Then 1013 | If $ScanMode < 11 Then Return SetError(18,0,0) 1014 | $TextInformation &= ";RealSize" 1015 | EndIf 1016 | #cs 1017 | $Indx_File_Flags = StringMid($InputData,$LocalOffset+144,8) 1018 | $Indx_File_Flags = _SwapEndian($Indx_File_Flags) 1019 | $Indx_File_Flags = _File_Attributes("0x" & $Indx_File_Flags) 1020 | $Indx_ReparseTag = StringMid($InputData,$LocalOffset+152,8) 1021 | $Indx_ReparseTag = _SwapEndian($Indx_ReparseTag) 1022 | $Indx_ReparseTag = _GetReparseType("0x"&$Indx_ReparseTag) 1023 | If StringInStr($Indx_ReparseTag,"UNKNOWN") Then 1024 | If $ScanMode < 13 Then Return SetError(19,0,0) 1025 | $TextInformation &= ";ReparseTag" 1026 | EndIf 1027 | #ce 1028 | ;----------------------------------------------- 1029 | $Indx_File_Flags = StringMid($InputData,$LocalOffset+144,8) 1030 | $Indx_File_Flags = _SwapEndian($Indx_File_Flags) 1031 | 1032 | If BitAND("0x" & $Indx_File_Flags, 0x40000) Then 1033 | $DoReparseTag=0 1034 | $DoEaSize=1 1035 | Else 1036 | $DoReparseTag=1 1037 | $DoEaSize=0 1038 | EndIf 1039 | $Indx_File_Flags = _File_Attributes("0x" & $Indx_File_Flags) 1040 | 1041 | Select 1042 | Case $DoReparseTag 1043 | $Indx_EaSize = "" 1044 | $Indx_ReparseTag = StringMid($InputData,$LocalOffset+152,8) 1045 | $Indx_ReparseTag = _SwapEndian($Indx_ReparseTag) 1046 | $Indx_ReparseTag = _GetReparseType("0x"&$Indx_ReparseTag) 1047 | If StringInStr($Indx_ReparseTag,"UNKNOWN") Then 1048 | If $ScanMode < 13 Then Return SetError(19,0,0) 1049 | $TextInformation &= ";ReparseTag" 1050 | EndIf 1051 | Case $DoEaSize 1052 | $Indx_ReparseTag = "" 1053 | $Indx_EaSize = StringMid($InputData,$LocalOffset+152,8) 1054 | $Indx_EaSize = Dec(_SwapEndian($Indx_EaSize),2) 1055 | If $Indx_EaSize < 8 Then 1056 | If $ScanMode < 13 Then Return SetError(19,0,0) 1057 | $TextInformation &= ";EaSize" 1058 | EndIf 1059 | EndSelect 1060 | ;-------------------------------------------- 1061 | $Indx_NameLength = StringMid($InputData,$LocalOffset+160,2) 1062 | $Indx_NameLength = Dec($Indx_NameLength) 1063 | If $Indx_NameLength = 0 Then 1064 | If $ScanMode < 14 Then Return SetError(20,0,0) 1065 | $TextInformation &= ";NameLength" 1066 | EndIf 1067 | $Indx_NameSpace = StringMid($InputData,$LocalOffset+162,2) 1068 | Select 1069 | Case $Indx_NameSpace = "00" ;POSIX 1070 | $Indx_NameSpace = "POSIX" 1071 | Case $Indx_NameSpace = "01" ;WIN32 1072 | $Indx_NameSpace = "WIN32" 1073 | Case $Indx_NameSpace = "02" ;DOS 1074 | $Indx_NameSpace = "DOS" 1075 | Case $Indx_NameSpace = "03" ;DOS+WIN32 1076 | $Indx_NameSpace = "DOS+WIN32" 1077 | Case Else 1078 | $Indx_NameSpace = "Unknown" 1079 | EndSelect 1080 | If $Indx_NameSpace = "Unknown" Then 1081 | If $ScanMode < 14 Then Return SetError(21,0,0) 1082 | $TextInformation &= ";NameSpace" 1083 | EndIf 1084 | 1085 | $Indx_FileName = StringMid($InputData,165,$Indx_NameLength*4) 1086 | $NameTest = 1 1087 | Select 1088 | Case $ExtendedNameCheckAll 1089 | ; _DumpOutput("$ExtendedNameCheckAll: " & $ExtendedNameCheckAll & @CRLF) 1090 | $NameTest = _ValidateCharacterAndWindowsFileName($Indx_FileName) 1091 | Case $ExtendedNameCheckChar 1092 | ; _DumpOutput("$ExtendedNameCheckChar: " & $ExtendedNameCheckChar & @CRLF) 1093 | $NameTest = _ValidateCharacter($Indx_FileName) 1094 | Case $ExtendedNameCheckWindows 1095 | ; _DumpOutput("$ExtendedNameCheckWindows: " & $ExtendedNameCheckWindows & @CRLF) 1096 | $NameTest = _ValidateWindowsFileName($Indx_FileName) 1097 | EndSelect 1098 | If Not $NameTest Then 1099 | If $ScanMode < 15 Then Return SetError(22,0,0) 1100 | $TextInformation &= ";FileName" 1101 | EndIf 1102 | $Indx_FileName = BinaryToString("0x"&$Indx_FileName,2) 1103 | If @error Or $Indx_FileName = "" Then 1104 | If $ScanMode < 15 Then Return SetError(23,0,0) 1105 | $TextInformation &= ";FileName" 1106 | EndIf 1107 | 1108 | If $VerifyFragment Then 1109 | $RebuiltFragment = "0x" & StringMid($InputData,1,164+($Indx_NameLength*4)) 1110 | ;ConsoleWrite(_HexEncode($RebuiltFragment) & @CRLF) 1111 | _WriteOutputFragment() 1112 | If @error Then 1113 | If Not $CommandlineMode Then 1114 | _DisplayInfo("Output fragment was verified but could not be written to: " & $ParserOutDir & "\" & $OutFragmentName & @CRLF) 1115 | Return SetError(1) 1116 | Else 1117 | _DumpOutput("Output fragment was verified but could not be written to: " & $ParserOutDir & "\" & $OutFragmentName & @CRLF) 1118 | Exit(4) 1119 | EndIf 1120 | Else 1121 | ConsoleWrite("Output fragment verified and written to: " & $ParserOutDir & "\" & $OutFragmentName & @CRLF) 1122 | EndIf 1123 | EndIf 1124 | Local $TextString="" 1125 | If Not $DoDefaultAll Then 1126 | $TextString &= " IndxLastLsn:" & $IndxLastLsn 1127 | $TextString &= " IndexFlags:" & $IndexFlags 1128 | $TextString &= " MftRefOfParent:" & $MFTReferenceOfParent 1129 | $TextString &= " MftRefOfParentSeqNo:" & $MFTReferenceOfParentSeqNo 1130 | $TextString &= " AllocSize:" & $Indx_AllocSize 1131 | $TextString &= " RealSize:" & $Indx_RealSize 1132 | $TextString &= " File_Flags:" & $Indx_File_Flags 1133 | $TextString &= " ReparseTag:" & $Indx_ReparseTag 1134 | $TextString &= " EaSize:" & $Indx_EaSize 1135 | If $TextInformation <> "" Then 1136 | $TextString &= " CorruptEntries:" & $TextInformation 1137 | EndIf 1138 | EndIf 1139 | 1140 | If $WithQuotes Then 1141 | Select 1142 | Case $DoDefaultAll 1143 | FileWriteLine($IndxEntriesI30CsvFile, '"'&$RecordOffset&'"' & $de & '"'&$IndxCurrentVcn&'"' & $de & '"'&$IsNotLeafNode&'"' & $de & '"'&$IndxLastLsn&'"' & $de & '"'&1&'"' & $de & '"'&$Indx_FileName&'"' & $de & '"'&$MFTReference&'"' & $de & '"'&$MFTReferenceSeqNo&'"' & $de & '"'&$IndexFlags&'"' & $de & '"'&$MFTReferenceOfParent&'"' & $de & '"'&$MFTReferenceOfParentSeqNo&'"' & $de & '"'&$Indx_CTime&'"' & $de & '"'&$Indx_ATime&'"' & $de & '"'&$Indx_MTime&'"' & $de & '"'&$Indx_RTime&'"' & $de & '"'&$Indx_AllocSize&'"' & $de & '"'&$Indx_RealSize&'"' & $de & '"'&$Indx_File_Flags&'"' & $de & '"'&$Indx_ReparseTag&'"' & $de & '"'&$Indx_EaSize&'"' & $de & '"'&$Indx_NameSpace&'"' & $de & '"'&$SubNodeVCN&'"' & $de & '"'&$TextInformation&'"' & @crlf) 1144 | Case $Dol2t 1145 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_CTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"C"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1146 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_ATime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"A"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1147 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_MTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"M"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1148 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_RTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"R"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1149 | Case $DoBodyfile 1150 | FileWriteLine($IndxEntriesI30CsvFile, '""' & $de & '"'& "I30" &'"' & $de & '"'&$MFTReference&'"' & $de & '"'& "Offset:"&$RecordOffset&" Slack:" & 1 & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_ATime &'"' & $de & '"'& $Indx_MTime &'"' & $de & '"'& $Indx_CTime &'"' & $de & '"'& $Indx_RTime &'"' & @CRLF) 1151 | EndSelect 1152 | Else 1153 | Select 1154 | Case $DoDefaultAll 1155 | FileWriteLine($IndxEntriesI30CsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & 1 & $de & $Indx_FileName & $de & $MFTReference & $de & $MFTReferenceSeqNo & $de & $IndexFlags & $de & $MFTReferenceOfParent & $de & $MFTReferenceOfParentSeqNo & $de & $Indx_CTime & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_RTime & $de & $Indx_AllocSize & $de & $Indx_RealSize & $de & $Indx_File_Flags & $de & $Indx_ReparseTag & $de & $Indx_EaSize & $de & $Indx_NameSpace & $de & $SubNodeVCN & $de & $TextInformation & @crlf) 1156 | Case $Dol2t 1157 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_CTime,$CharsToGrabDate) & $de & StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "C" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1158 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_ATime,$CharsToGrabDate) & $de & StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "A" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1159 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_MTime,$CharsToGrabDate) & $de & StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "M" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1160 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_RTime,$CharsToGrabDate) & $de & StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "R" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & 1 & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1161 | Case $DoBodyfile 1162 | FileWriteLine($IndxEntriesI30CsvFile, "" & $de & "I30" & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & 1 & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & $de & "" & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_CTime & $de & $Indx_RTime & @CRLF) 1163 | EndSelect 1164 | EndIf 1165 | 1166 | Return 1 1167 | EndFunc 1168 | 1169 | Func _WriteCSVHeaderIndxEntries() 1170 | Local $a 1171 | If $WithQuotes Then 1172 | $a = '"' 1173 | Else 1174 | $a = "" 1175 | EndIf 1176 | If $DoDefaultAll Then 1177 | $Indx_Csv_Header = $a&"Offset"&$a&$de&$a&"Vcn"&$a&$de&$a&"IsNotLeaf"&$a&$de&$a&"LastLsn"&$a&$de&$a&"FromIndxSlack"&$a&$de&$a&"FileName"&$a&$de&$a&"MFTReference"&$a&$de&$a&"MFTReferenceSeqNo"&$a&$de&$a&"IndexFlags"&$a&$de&$a&"MFTParentReference"&$a&$de&$a&"MFTParentReferenceSeqNo"&$a&$de&$a&"CTime"&$a&$de&$a&"ATime"&$a&$de&$a&"MTime"&$a&$de&$a&"RTime"&$a&$de&$a&"AllocSize"&$a&$de&$a&"RealSize"&$a&$de&$a&"FileFlags"&$a&$de&$a&"ReparseTag"&$a&$de&$a&"EaSize"&$a&$de&$a&"NameSpace"&$a&$de&$a&"SubNodeVCN"&$a&$de&$a&"CorruptEntries"&$a 1178 | ElseIf $Dol2t Then 1179 | $Indx_Csv_Header = $a&"Date"&$a&$de&$a&"Time"&$a&$de&$a&"Timezone"&$a&$de&$a&"MACB"&$a&$de&$a&"Source"&$a&$de&$a&"SourceType"&$a&$de&$a&"Type"&$a&$de&$a&"User"&$a&$de&$a&"Host"&$a&$de&$a&"Short"&$a&$de&$a&"Desc"&$a&$de&$a&"Version"&$a&$de&$a&"Filename"&$a&$de&$a&"Inode"&$a&$de&$a&"Notes"&$a&$de&$a&"Format"&$a&$de&$a&"Extra"&$a 1180 | ElseIf $DoBodyfile Then 1181 | $Indx_Csv_Header = $a&"MD5"&$a&$de&$a&"name"&$a&$de&$a&"inode"&$a&$de&$a&"mode_as_string"&$a&$de&$a&"UID"&$a&$de&$a&"GID"&$a&$de&$a&"size"&$a&$de&$a&"atime"&$a&$de&$a&"mtime"&$a&$de&$a&"ctime"&$a&$de&$a&"crtime"&$a 1182 | EndIf 1183 | FileWriteLine($IndxEntriesI30CsvFile, $Indx_Csv_Header & @CRLF) 1184 | EndFunc 1185 | 1186 | Func _ParseCoreValidData($InputData,$FirstEntryOffset) 1187 | Local $LocalOffset = 1, $SubNodeVCN, $EntryCounter=0 1188 | $TextInformation="" 1189 | ; $IndxLastLsn = -1 1190 | ; ConsoleWrite("_ParseCoreData():" & @crlf) 1191 | ; ConsoleWrite(_HexEncode("0x"&$InputData) & @crlf) 1192 | $SizeofIndxRecord = StringLen($InputData) 1193 | While 1 1194 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($LocalOffset-1)/2) + $FirstEntryOffset)) 1195 | $MFTReference = StringMid($InputData,$LocalOffset,12) 1196 | $MFTReference = Dec(_SwapEndian($MFTReference),2) 1197 | $MFTReferenceSeqNo = StringMid($InputData,$LocalOffset+12,4) 1198 | $MFTReferenceSeqNo = Dec(_SwapEndian($MFTReferenceSeqNo),2) 1199 | $IndexEntryLength = StringMid($InputData,$LocalOffset+16,4) 1200 | $IndexEntryLength = Dec(_SwapEndian($IndexEntryLength),2) 1201 | $OffsetToFileName = StringMid($InputData,$LocalOffset+20,4) 1202 | $OffsetToFileName = Dec(_SwapEndian($OffsetToFileName),2) 1203 | $IndexFlags = StringMid($InputData,$LocalOffset+24,4) 1204 | $IndexFlags = Dec(_SwapEndian($IndexFlags),2) 1205 | ;$Padding = StringMid($InputData,$LocalOffset+28,4) 1206 | $MFTReferenceOfParent = StringMid($InputData,$LocalOffset+32,12) 1207 | $MFTReferenceOfParent = Dec(_SwapEndian($MFTReferenceOfParent),2) 1208 | $MFTReferenceOfParentSeqNo = StringMid($InputData,$LocalOffset+44,4) 1209 | $MFTReferenceOfParentSeqNo = Dec(_SwapEndian($MFTReferenceOfParentSeqNo),2) 1210 | 1211 | $Indx_CTime = StringMid($InputData, $LocalOffset + 48, 16) 1212 | $Indx_CTime = _SwapEndian($Indx_CTime) 1213 | $Indx_CTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_CTime) 1214 | $Indx_CTime = _WinTime_UTCFileTimeFormat(Dec($Indx_CTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1215 | If @error Then 1216 | $Indx_CTime = $TimestampErrorVal 1217 | ElseIf $TimestampPrecision = 2 Then 1218 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-4) 1219 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,3) 1220 | ElseIf $TimestampPrecision = 3 Then 1221 | $Indx_CTime = $Indx_CTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_CTime_tmp, 4)) 1222 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-9) 1223 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,8) 1224 | Else 1225 | ;$Indx_CTime_Core = $Indx_CTime 1226 | EndIf 1227 | ; 1228 | $Indx_ATime = StringMid($InputData, $LocalOffset + 64, 16) 1229 | $Indx_ATime = _SwapEndian($Indx_ATime) 1230 | $Indx_ATime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_ATime) 1231 | $Indx_ATime = _WinTime_UTCFileTimeFormat(Dec($Indx_ATime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1232 | If @error Then 1233 | $Indx_ATime = $TimestampErrorVal 1234 | ElseIf $TimestampPrecision = 2 Then 1235 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-4) 1236 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,3) 1237 | ElseIf $TimestampPrecision = 3 Then 1238 | $Indx_ATime = $Indx_ATime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_ATime_tmp, 4)) 1239 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-9) 1240 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,8) 1241 | Else 1242 | ;$Indx_ATime_Core = $Indx_ATime 1243 | EndIf 1244 | ; 1245 | $Indx_MTime = StringMid($InputData, $LocalOffset + 80, 16) 1246 | $Indx_MTime = _SwapEndian($Indx_MTime) 1247 | $Indx_MTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_MTime) 1248 | $Indx_MTime = _WinTime_UTCFileTimeFormat(Dec($Indx_MTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1249 | If @error Then 1250 | $Indx_MTime = $TimestampErrorVal 1251 | ElseIf $TimestampPrecision = 2 Then 1252 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-4) 1253 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,3) 1254 | ElseIf $TimestampPrecision = 3 Then 1255 | $Indx_MTime = $Indx_MTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_MTime_tmp, 4)) 1256 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-9) 1257 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,8) 1258 | Else 1259 | ;$Indx_MTime_Core = $Indx_MTime 1260 | EndIf 1261 | ; 1262 | $Indx_RTime = StringMid($InputData, $LocalOffset + 96, 16) 1263 | $Indx_RTime = _SwapEndian($Indx_RTime) 1264 | $Indx_RTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_RTime) 1265 | $Indx_RTime = _WinTime_UTCFileTimeFormat(Dec($Indx_RTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1266 | If @error Then 1267 | $Indx_RTime = $TimestampErrorVal 1268 | ElseIf $TimestampPrecision = 2 Then 1269 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-4) 1270 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,3) 1271 | ElseIf $TimestampPrecision = 3 Then 1272 | $Indx_RTime = $Indx_RTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_RTime_tmp, 4)) 1273 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-9) 1274 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,8) 1275 | Else 1276 | ;$Indx_RTime_Core = $Indx_RTime 1277 | EndIf 1278 | ; 1279 | $Indx_AllocSize = StringMid($InputData,$LocalOffset+112,16) 1280 | $Indx_AllocSize = Dec(_SwapEndian($Indx_AllocSize),2) 1281 | $Indx_RealSize = StringMid($InputData,$LocalOffset+128,16) 1282 | $Indx_RealSize = Dec(_SwapEndian($Indx_RealSize),2) 1283 | $Indx_File_Flags = StringMid($InputData,$LocalOffset+144,8) 1284 | $Indx_File_Flags = _SwapEndian($Indx_File_Flags) 1285 | 1286 | If BitAND("0x" & $Indx_File_Flags, 0x40000) Then 1287 | $DoReparseTag=0 1288 | $DoEaSize=1 1289 | Else 1290 | $DoReparseTag=1 1291 | $DoEaSize=0 1292 | EndIf 1293 | $Indx_File_Flags = _File_Attributes("0x" & $Indx_File_Flags) 1294 | 1295 | Select 1296 | Case $DoReparseTag 1297 | $Indx_EaSize = "" 1298 | $Indx_ReparseTag = StringMid($InputData,$LocalOffset+152,8) 1299 | $Indx_ReparseTag = _SwapEndian($Indx_ReparseTag) 1300 | $Indx_ReparseTag = _GetReparseType("0x"&$Indx_ReparseTag) 1301 | ;If StringInStr($Indx_ReparseTag,"UNKNOWN") Then Return SetError(19,0,0) 1302 | Case $DoEaSize 1303 | $Indx_ReparseTag = "" 1304 | $Indx_EaSize = StringMid($InputData,$LocalOffset+152,8) 1305 | $Indx_EaSize = Dec(_SwapEndian($Indx_EaSize),2) 1306 | ;If $Indx_EaSize < 8 Then Return SetError(19,0,0) 1307 | EndSelect 1308 | $Indx_NameLength = StringMid($InputData,$LocalOffset+160,2) 1309 | $Indx_NameLength = Dec($Indx_NameLength) 1310 | $Indx_NameSpace = StringMid($InputData,$LocalOffset+162,2) 1311 | Select 1312 | Case $Indx_NameSpace = "00" ;POSIX 1313 | $Indx_NameSpace = "POSIX" 1314 | Case $Indx_NameSpace = "01" ;WIN32 1315 | $Indx_NameSpace = "WIN32" 1316 | Case $Indx_NameSpace = "02" ;DOS 1317 | $Indx_NameSpace = "DOS" 1318 | Case $Indx_NameSpace = "03" ;DOS+WIN32 1319 | $Indx_NameSpace = "DOS+WIN32" 1320 | Case Else 1321 | $Indx_NameSpace = "Unknown" 1322 | EndSelect 1323 | $Indx_FileName = StringMid($InputData,$LocalOffset+164,$Indx_NameLength*4) 1324 | $Indx_FileName = BinaryToString("0x"&$Indx_FileName,2) 1325 | 1326 | If $LocalOffset > 180 And $EntryCounter = 0 Then 1327 | ;This INDX is most likely not $I30. 1328 | Return 0 1329 | EndIf 1330 | 1331 | If $LocalOffset >= $SizeofIndxRecord Then 1332 | Return $EntryCounter 1333 | EndIf 1334 | 1335 | If $MFTReferenceSeqNo > 0 And $MFTReferenceOfParent > 4 And $Indx_NameLength > 0 Then 1336 | If $MFTReference > 11 And ($Indx_CTime=$TimestampErrorVal Or $Indx_ATime=$TimestampErrorVal Or $Indx_MTime=$TimestampErrorVal Or $Indx_RTime=$TimestampErrorVal) Then 1337 | Return $EntryCounter 1338 | EndIf 1339 | 1340 | Local $TextString="" 1341 | If Not $DoDefaultAll Then 1342 | $TextString &= " IndxLastLsn:" & $IndxLastLsn 1343 | $TextString &= " IndexFlags:" & $IndexFlags 1344 | $TextString &= " MftRefOfParent:" & $MFTReferenceOfParent 1345 | $TextString &= " MftRefOfParentSeqNo:" & $MFTReferenceOfParentSeqNo 1346 | $TextString &= " AllocSize:" & $Indx_AllocSize 1347 | $TextString &= " RealSize:" & $Indx_RealSize 1348 | $TextString &= " File_Flags:" & $Indx_File_Flags 1349 | $TextString &= " ReparseTag:" & $Indx_ReparseTag 1350 | $TextString &= " EaSize:" & $Indx_EaSize 1351 | EndIf 1352 | 1353 | If $WithQuotes Then 1354 | Select 1355 | Case $DoDefaultAll 1356 | FileWriteLine($IndxEntriesI30CsvFile, '"'&$RecordOffset&'"' & $de & '"'&$IndxCurrentVcn&'"' & $de & '"'&$IsNotLeafNode&'"' & $de & '"'&$IndxLastLsn&'"' & $de & '"'&$FromIndxSlack&'"' & $de & '"'&$Indx_FileName&'"' & $de & '"'&$MFTReference&'"' & $de & '"'&$MFTReferenceSeqNo&'"' & $de & '"'&$IndexFlags&'"' & $de & '"'&$MFTReferenceOfParent&'"' & $de & '"'&$MFTReferenceOfParentSeqNo&'"' & $de & '"'&$Indx_CTime&'"' & $de & '"'&$Indx_ATime&'"' & $de & '"'&$Indx_MTime&'"' & $de & '"'&$Indx_RTime&'"' & $de & '"'&$Indx_AllocSize&'"' & $de & '"'&$Indx_RealSize&'"' & $de & '"'&$Indx_File_Flags&'"' & $de & '"'&$Indx_ReparseTag&'"' & $de & '"'&$Indx_EaSize&'"' & $de & '"'&$Indx_NameSpace&'"' & $de & '"'&$SubNodeVCN&'"' & $de & '"'&$TextInformation&'"' & @crlf) 1357 | Case $Dol2t 1358 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_CTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"C"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1359 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_ATime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"A"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1360 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_MTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"M"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1361 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_RTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"R"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1362 | Case $DoBodyfile 1363 | FileWriteLine($IndxEntriesI30CsvFile, '""' & $de & '"'& "I30" &'"' & $de & '"'&$MFTReference&'"' & $de & '"'& "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_ATime &'"' & $de & '"'& $Indx_MTime &'"' & $de & '"'& $Indx_CTime &'"' & $de & '"'& $Indx_RTime &'"' & @CRLF) 1364 | EndSelect 1365 | Else 1366 | Select 1367 | Case $DoDefaultAll 1368 | FileWriteLine($IndxEntriesI30CsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & $FromIndxSlack & $de & $Indx_FileName & $de & $MFTReference & $de & $MFTReferenceSeqNo & $de & $IndexFlags & $de & $MFTReferenceOfParent & $de & $MFTReferenceOfParentSeqNo & $de & $Indx_CTime & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_RTime & $de & $Indx_AllocSize & $de & $Indx_RealSize & $de & $Indx_File_Flags & $de & $Indx_ReparseTag & $de & $Indx_EaSize & $de & $Indx_NameSpace & $de & $SubNodeVCN & $de & $TextInformation & @crlf) 1369 | Case $Dol2t 1370 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_CTime,$CharsToGrabDate) & $de & StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "C" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1371 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_ATime,$CharsToGrabDate) & $de & StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "A" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1372 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_MTime,$CharsToGrabDate) & $de & StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "M" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1373 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_RTime,$CharsToGrabDate) & $de & StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "R" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1374 | Case $DoBodyfile 1375 | FileWriteLine($IndxEntriesI30CsvFile, "" & $de & "I30" & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & $de & "" & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_CTime & $de & $Indx_RTime & @CRLF) 1376 | EndSelect 1377 | EndIf 1378 | $LocalOffset += $IndexEntryLength*2 1379 | $EntryCounter+=1 1380 | _ClearVar() 1381 | ContinueLoop 1382 | Else 1383 | ;ConsoleWrite("Error: Validation of entry failed." & @CRLF) 1384 | Return $EntryCounter 1385 | EndIf 1386 | _ClearVar() 1387 | WEnd 1388 | EndFunc 1389 | 1390 | Func _ParseCoreSlackSpace($InputData,$SkeewedOffset) 1391 | Local $LocalOffset = 1, $SubNodeVCN, $EntryCounter=0, $AllTimestampsValid=1 1392 | $TextInformation="" 1393 | $IndxLastLsn = -1 1394 | ; ConsoleWrite("_ParseCoreSlackSpace():" & @crlf) 1395 | ; ConsoleWrite(_HexEncode("0x"&$InputData) & @crlf) 1396 | $SizeofIndxRecord = StringLen($InputData) 1397 | While 1 1398 | $FileNameHealthy=0 1399 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($SkeewedOffset+$LocalOffset-1)/2))) 1400 | $MFTReference = StringMid($InputData,$LocalOffset,12) 1401 | $MFTReference = Dec(_SwapEndian($MFTReference),2) 1402 | $MFTReferenceSeqNo = StringMid($InputData,$LocalOffset+12,4) 1403 | $MFTReferenceSeqNo = Dec(_SwapEndian($MFTReferenceSeqNo),2) 1404 | $IndexEntryLength = StringMid($InputData,$LocalOffset+16,4) 1405 | $IndexEntryLength = Dec(_SwapEndian($IndexEntryLength),2) 1406 | $OffsetToFileName = StringMid($InputData,$LocalOffset+20,4) 1407 | $OffsetToFileName = Dec(_SwapEndian($OffsetToFileName),2) 1408 | $IndexFlags = StringMid($InputData,$LocalOffset+24,4) 1409 | $IndexFlags = Dec(_SwapEndian($IndexFlags),2) 1410 | $Padding = StringMid($InputData,$LocalOffset+28,4) 1411 | $MFTReferenceOfParent = StringMid($InputData,$LocalOffset+32,12) 1412 | $MFTReferenceOfParent = Dec(_SwapEndian($MFTReferenceOfParent),2) 1413 | $MFTReferenceOfParentSeqNo = StringMid($InputData,$LocalOffset+44,4) 1414 | $MFTReferenceOfParentSeqNo = Dec(_SwapEndian($MFTReferenceOfParentSeqNo),2) 1415 | 1416 | $Indx_CTime = StringMid($InputData, $LocalOffset + 48, 16) 1417 | $Indx_CTime = _SwapEndian($Indx_CTime) 1418 | $CTime_TimestampTmp = Dec($Indx_CTime,2) 1419 | $Indx_CTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_CTime) 1420 | $Indx_CTime = _WinTime_UTCFileTimeFormat(Dec($Indx_CTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1421 | If @error Then 1422 | $Indx_CTime = $TimestampErrorVal 1423 | ElseIf $TimestampPrecision = 2 Then 1424 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-4) 1425 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,3) 1426 | ElseIf $TimestampPrecision = 3 Then 1427 | $Indx_CTime = $Indx_CTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_CTime_tmp, 4)) 1428 | ;$Indx_CTime_Core = StringMid($Indx_CTime,1,StringLen($Indx_CTime)-9) 1429 | ;$Indx_CTime_Precision = StringRight($Indx_CTime,8) 1430 | Else 1431 | ;$Indx_CTime_Core = $Indx_CTime 1432 | EndIf 1433 | ; 1434 | $Indx_ATime = StringMid($InputData, $LocalOffset + 64, 16) 1435 | $Indx_ATime = _SwapEndian($Indx_ATime) 1436 | $ATime_TimestampTmp = Dec($Indx_ATime,2) 1437 | $Indx_ATime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_ATime) 1438 | $Indx_ATime = _WinTime_UTCFileTimeFormat(Dec($Indx_ATime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1439 | If @error Then 1440 | $Indx_ATime = $TimestampErrorVal 1441 | ElseIf $TimestampPrecision = 2 Then 1442 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-4) 1443 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,3) 1444 | ElseIf $TimestampPrecision = 3 Then 1445 | $Indx_ATime = $Indx_ATime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_ATime_tmp, 4)) 1446 | ;$Indx_ATime_Core = StringMid($Indx_ATime,1,StringLen($Indx_ATime)-9) 1447 | ;$Indx_ATime_Precision = StringRight($Indx_ATime,8) 1448 | Else 1449 | ;$Indx_ATime_Core = $Indx_ATime 1450 | EndIf 1451 | ; 1452 | $Indx_MTime = StringMid($InputData, $LocalOffset + 80, 16) 1453 | $Indx_MTime = _SwapEndian($Indx_MTime) 1454 | $MTime_TimestampTmp = Dec($Indx_MTime,2) 1455 | $Indx_MTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_MTime) 1456 | $Indx_MTime = _WinTime_UTCFileTimeFormat(Dec($Indx_MTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1457 | If @error Then 1458 | $Indx_MTime = $TimestampErrorVal 1459 | ElseIf $TimestampPrecision = 2 Then 1460 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-4) 1461 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,3) 1462 | ElseIf $TimestampPrecision = 3 Then 1463 | $Indx_MTime = $Indx_MTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_MTime_tmp, 4)) 1464 | ;$Indx_MTime_Core = StringMid($Indx_MTime,1,StringLen($Indx_MTime)-9) 1465 | ;$Indx_MTime_Precision = StringRight($Indx_MTime,8) 1466 | Else 1467 | ;$Indx_MTime_Core = $Indx_MTime 1468 | EndIf 1469 | ; 1470 | $Indx_RTime = StringMid($InputData, $LocalOffset + 96, 16) 1471 | $Indx_RTime = _SwapEndian($Indx_RTime) 1472 | $RTime_TimestampTmp = Dec($Indx_RTime,2) 1473 | $Indx_RTime_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $Indx_RTime) 1474 | $Indx_RTime = _WinTime_UTCFileTimeFormat(Dec($Indx_RTime,2) - $tDelta, $DateTimeFormat, $TimestampPrecision) 1475 | If @error Then 1476 | $Indx_RTime = $TimestampErrorVal 1477 | ElseIf $TimestampPrecision = 2 Then 1478 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-4) 1479 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,3) 1480 | ElseIf $TimestampPrecision = 3 Then 1481 | $Indx_RTime = $Indx_RTime & $PrecisionSeparator2 & _FillZero(StringRight($Indx_RTime_tmp, 4)) 1482 | ;$Indx_RTime_Core = StringMid($Indx_RTime,1,StringLen($Indx_RTime)-9) 1483 | ;$Indx_RTime_Precision = StringRight($Indx_RTime,8) 1484 | Else 1485 | ;$Indx_RTime_Core = $Indx_RTime 1486 | EndIf 1487 | ; 1488 | $Indx_AllocSize = StringMid($InputData,$LocalOffset+112,16) 1489 | $Indx_AllocSize = Dec(_SwapEndian($Indx_AllocSize),2) 1490 | $Indx_RealSize = StringMid($InputData,$LocalOffset+128,16) 1491 | $Indx_RealSize = Dec(_SwapEndian($Indx_RealSize),2) 1492 | $Indx_File_Flags = StringMid($InputData,$LocalOffset+144,8) 1493 | $Indx_File_Flags = _SwapEndian($Indx_File_Flags) 1494 | 1495 | If BitAND("0x" & $Indx_File_Flags, 0x40000) Then 1496 | $DoReparseTag=0 1497 | $DoEaSize=1 1498 | Else 1499 | $DoReparseTag=1 1500 | $DoEaSize=0 1501 | EndIf 1502 | $Indx_File_Flags = _File_Attributes("0x" & $Indx_File_Flags) 1503 | 1504 | Select 1505 | Case $DoReparseTag 1506 | $Indx_EaSize = "" 1507 | $Indx_ReparseTag = StringMid($InputData,$LocalOffset+152,8) 1508 | $Indx_ReparseTag = _SwapEndian($Indx_ReparseTag) 1509 | $Indx_ReparseTag = _GetReparseType("0x"&$Indx_ReparseTag) 1510 | ; If StringInStr($Indx_ReparseTag,"UNKNOWN") Then Return SetError(19,0,0) 1511 | Case $DoEaSize 1512 | $Indx_ReparseTag = "" 1513 | $Indx_EaSize = StringMid($InputData,$LocalOffset+152,8) 1514 | $Indx_EaSize = Dec(_SwapEndian($Indx_EaSize),2) 1515 | ; If $Indx_EaSize < 8 Then Return SetError(19,0,0) 1516 | EndSelect 1517 | $Indx_NameLength = StringMid($InputData,$LocalOffset+160,2) 1518 | $Indx_NameLength = Dec($Indx_NameLength) 1519 | $Indx_NameSpace = StringMid($InputData,$LocalOffset+162,2) 1520 | Select 1521 | Case $Indx_NameSpace = "00" ;POSIX 1522 | $Indx_NameSpace = "POSIX" 1523 | Case $Indx_NameSpace = "01" ;WIN32 1524 | $Indx_NameSpace = "WIN32" 1525 | Case $Indx_NameSpace = "02" ;DOS 1526 | $Indx_NameSpace = "DOS" 1527 | Case $Indx_NameSpace = "03" ;DOS+WIN32 1528 | $Indx_NameSpace = "DOS+WIN32" 1529 | Case Else 1530 | $Indx_NameSpace = "Unknown" 1531 | EndSelect 1532 | $Indx_FileNameHex = StringMid($InputData,$LocalOffset+164,$Indx_NameLength*4) 1533 | If $StrictNameCheck Then 1534 | ;If $SkipUnicodeNames Then 1535 | $NameTest = (_ValidateAnsiName($Indx_FileNameHex) And _ValidateWindowsFileName($Indx_FileNameHex)) 1536 | Else 1537 | $NameTest = _ValidateWindowsFileName($Indx_FileNameHex) 1538 | EndIf 1539 | If $NameTest Then 1540 | $Indx_FileName = BinaryToString("0x"&$Indx_FileNameHex,2) 1541 | $FileNameHealthy = 1 1542 | Else 1543 | ; ConsoleWrite("Error in filename: " & @CRLF) 1544 | ; ConsoleWrite("$Indx_FileNameHex: " & $Indx_FileNameHex & @CRLF) 1545 | ; ConsoleWrite("$Indx_FileName: " & $Indx_FileName & @CRLF) 1546 | EndIf 1547 | 1548 | If $LocalOffset >= $SizeofIndxRecord Then 1549 | Return $EntryCounter 1550 | EndIf 1551 | 1552 | If $LocalOffset > 800 And $EntryCounter = 0 Then 1553 | ;This INDX is most likely not $I30. 1554 | Return 0 1555 | EndIf 1556 | #cs 1557 | $OffsetToFileName_tmp = $OffsetToFileName 1558 | If Mod($OffsetToFileName_tmp,8) Then 1559 | While 1 1560 | $OffsetToFileName_tmp+=1 1561 | If Mod($OffsetToFileName_tmp,8) = 0 Then ExitLoop 1562 | WEnd 1563 | EndIf 1564 | #ce 1565 | $AllTimestampsValid = 1 1566 | If $ExtendedTimestampCheck Then 1567 | If ($CTime_TimestampTmp < $TSCheckLow Or $CTime_TimestampTmp > $TSCheckHigh) And ($ATime_TimestampTmp < $TSCheckLow Or $ATime_TimestampTmp > $TSCheckHigh) And ($MTime_TimestampTmp < $TSCheckLow Or $MTime_TimestampTmp > $TSCheckHigh) And ($RTime_TimestampTmp < $TSCheckLow Or $RTime_TimestampTmp > $TSCheckHigh) Then 1568 | $AllTimestampsValid = 0 1569 | EndIf 1570 | EndIf 1571 | 1572 | If $AllTimestampsValid And $FileNameHealthy And $Indx_NameLength > 0 And $Indx_CTime<>$TimestampErrorVal And $Indx_ATime<>$TimestampErrorVal And $Indx_MTime<>$TimestampErrorVal And $Indx_RTime<>$TimestampErrorVal And $Indx_NameSpace <> "Unknown" And $Indx_ReparseTag <> "UNKNOWN" And $Indx_AllocSize >= $Indx_RealSize And Mod($Indx_AllocSize,8)=0 Then 1573 | If $MFTReferenceSeqNo = 0 Then $TextInformation &= ";MftRef;MftRefSeqNo" 1574 | If $IndexFlags > 2 Then $TextInformation &= ";IndexFlags" 1575 | If $Padding <> "0000" Then $TextInformation &= ";Padding" 1576 | If $MFTReferenceOfParentSeqNo = 0 Then $TextInformation &= ";MftRefOfParent;MftRefOfParentSeqNo" 1577 | If ($DoReparseTag And StringInStr($Indx_ReparseTag,"UNKNOWN")) Then $TextInformation &= ";ReparseTag" 1578 | If ($DoEaSize And $Indx_EaSize < 8) Then $TextInformation &= ";EaSize" 1579 | ;FileWriteLine($IndxEntriesI30CsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & $FromIndxSlack & $de & $Indx_FileName & $de & $MFTReference & $de & $MFTReferenceSeqNo & $de & $IndexFlags & $de & $MFTReferenceOfParent & $de & $MFTReferenceOfParentSeqNo & $de & $Indx_CTime & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_RTime & $de & $Indx_AllocSize & $de & $Indx_RealSize & $de & $Indx_File_Flags & $de & $Indx_ReparseTag & $de & $Indx_EaSize & $de & $Indx_NameSpace & $de & $SubNodeVCN & $de & $TextInformation & @crlf) 1580 | Local $TextString="" 1581 | If Not $DoDefaultAll Then 1582 | $TextString &= " IndxLastLsn:" & $IndxLastLsn 1583 | $TextString &= " IndexFlags:" & $IndexFlags 1584 | $TextString &= " MftRefOfParent:" & $MFTReferenceOfParent 1585 | $TextString &= " MftRefOfParentSeqNo:" & $MFTReferenceOfParentSeqNo 1586 | $TextString &= " AllocSize:" & $Indx_AllocSize 1587 | $TextString &= " RealSize:" & $Indx_RealSize 1588 | $TextString &= " File_Flags:" & $Indx_File_Flags 1589 | $TextString &= " ReparseTag:" & $Indx_ReparseTag 1590 | $TextString &= " EaSize:" & $Indx_EaSize 1591 | If $TextInformation <> "" Then 1592 | $TextString &= " CorruptEntries:" & $TextInformation 1593 | EndIf 1594 | EndIf 1595 | 1596 | If $WithQuotes Then 1597 | Select 1598 | Case $DoDefaultAll 1599 | FileWriteLine($IndxEntriesI30CsvFile, '"'&$RecordOffset&'"' & $de & '"'&$IndxCurrentVcn&'"' & $de & '"'&$IsNotLeafNode&'"' & $de & '"'&$IndxLastLsn&'"' & $de & '"'&$FromIndxSlack&'"' & $de & '"'&$Indx_FileName&'"' & $de & '"'&$MFTReference&'"' & $de & '"'&$MFTReferenceSeqNo&'"' & $de & '"'&$IndexFlags&'"' & $de & '"'&$MFTReferenceOfParent&'"' & $de & '"'&$MFTReferenceOfParentSeqNo&'"' & $de & '"'&$Indx_CTime&'"' & $de & '"'&$Indx_ATime&'"' & $de & '"'&$Indx_MTime&'"' & $de & '"'&$Indx_RTime&'"' & $de & '"'&$Indx_AllocSize&'"' & $de & '"'&$Indx_RealSize&'"' & $de & '"'&$Indx_File_Flags&'"' & $de & '"'&$Indx_ReparseTag&'"' & $de & '"'&$Indx_EaSize&'"' & $de & '"'&$Indx_NameSpace&'"' & $de & '"'&$SubNodeVCN&'"' & $de & '"'&$TextInformation&'"' & @crlf) 1600 | Case $Dol2t 1601 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_CTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"C"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1602 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_ATime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"A"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1603 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_MTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"M"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1604 | FileWriteLine($IndxEntriesI30CsvFile, '"'&'"'& StringLeft($Indx_RTime,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"R"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"I30"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_FileName &'"' & $de & '"'&$MFTReference&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 1605 | Case $DoBodyfile 1606 | FileWriteLine($IndxEntriesI30CsvFile, '""' & $de & '"'& "I30" &'"' & $de & '"'&$MFTReference&'"' & $de & '"'& "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& $Indx_ATime &'"' & $de & '"'& $Indx_MTime &'"' & $de & '"'& $Indx_CTime &'"' & $de & '"'& $Indx_RTime &'"' & @CRLF) 1607 | EndSelect 1608 | Else 1609 | Select 1610 | Case $DoDefaultAll 1611 | FileWriteLine($IndxEntriesI30CsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & $FromIndxSlack & $de & $Indx_FileName & $de & $MFTReference & $de & $MFTReferenceSeqNo & $de & $IndexFlags & $de & $MFTReferenceOfParent & $de & $MFTReferenceOfParentSeqNo & $de & $Indx_CTime & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_RTime & $de & $Indx_AllocSize & $de & $Indx_RealSize & $de & $Indx_File_Flags & $de & $Indx_ReparseTag & $de & $Indx_EaSize & $de & $Indx_NameSpace & $de & $SubNodeVCN & $de & $TextInformation & @crlf) 1612 | Case $Dol2t 1613 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_CTime,$CharsToGrabDate) & $de & StringMid($Indx_CTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "C" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1614 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_ATime,$CharsToGrabDate) & $de & StringMid($Indx_ATime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "A" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1615 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_MTime,$CharsToGrabDate) & $de & StringMid($Indx_MTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "M" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1616 | FileWriteLine($IndxEntriesI30CsvFile, StringLeft($Indx_RTime,$CharsToGrabDate) & $de & StringMid($Indx_RTime,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "R" & $de & "INDX" & $de & "I30" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_FileName & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 1617 | Case $DoBodyfile 1618 | FileWriteLine($IndxEntriesI30CsvFile, "" & $de & "I30" & $de & $MFTReference & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " FileName:"&$Indx_FileName& " MftRef:"&$MFTReference&" MftRefSeqNo:"&$MFTReferenceSeqNo & $TextString & $de & "" & $de & "" & $de & "" & $de & $Indx_ATime & $de & $Indx_MTime & $de & $Indx_CTime & $de & $Indx_RTime & @CRLF) 1619 | EndSelect 1620 | EndIf 1621 | If $IndexEntryLength = 0 Then $IndexEntryLength = (32+26+$Indx_NameLength)*2 1622 | $LocalOffset += $IndexEntryLength*2 1623 | $EntryCounter+=1 1624 | _ClearVar() 1625 | ContinueLoop 1626 | Else 1627 | #cs 1628 | ConsoleWrite("Error: Validation of entry failed at offset: " & $RecordOffset & @CRLF) 1629 | ConsoleWrite("$Indx_FileName: " & $Indx_FileName & @CRLF) 1630 | ConsoleWrite("$Indx_FileNameHex: " & $Indx_FileNameHex & @CRLF) 1631 | ConsoleWrite("$MFTReferenceSeqNo: " & $MFTReferenceSeqNo & @CRLF) 1632 | ConsoleWrite("$MFTReferenceOfParent: " & $MFTReferenceOfParent & @CRLF) 1633 | ConsoleWrite("$Indx_NameSpace: " & $Indx_NameSpace & @CRLF) 1634 | ConsoleWrite(@CRLF) 1635 | #ce 1636 | $LocalOffset += 2 1637 | EndIf 1638 | _ClearVar() 1639 | WEnd 1640 | EndFunc 1641 | 1642 | Func _ParseIndx($InputData) 1643 | Local $IndxValidationTest=0, $LocalOffset = 3 1644 | 1645 | $IndxHdrMagic = StringMid($InputData,$LocalOffset,8) 1646 | If $IndxHdrMagic <> $INDXsig Then Return 0 1647 | If $DoFixups Then 1648 | $InputData = _ApplyFixupsIndx(StringMid($InputData,3)) 1649 | If $InputData = "" Then 1650 | _DumpOutput("Error: Fixups failed." & @CRLF) 1651 | Return 0 1652 | EndIf 1653 | EndIf 1654 | ; $TestData = _ApplyFixupsIndx(StringMid($InputData,3)) 1655 | ; If $TestData <> "" Then $InputData = $TestData 1656 | $IndxLastLsn = Dec(_SwapEndian(StringMid($InputData,$LocalOffset+16,16)),2) 1657 | ; ConsoleWrite("$IndxLastLsn: " & $IndxLastLsn & @crlf) 1658 | ; If $IndxLastLsn = 0 Then 1659 | ; _DumpOutput("Error in $IndxLastLsn: " & $IndxLastLsn & @crlf) 1660 | ; Return 0 1661 | ; EndIf 1662 | 1663 | $IndxCurrentVcn = Dec(_SwapEndian(StringMid($InputData,$LocalOffset+32,16)),2) 1664 | ; ConsoleWrite("$IndxCurrentVcn: " & $IndxCurrentVcn & @crlf) 1665 | ; If $IndxCurrentVcn > 0xFFFFFFFFFF Then 1666 | ; _DumpOutput("Error in $IndxCurrentVcn: " & $IndxCurrentVcn & @crlf) 1667 | ; Return 0 1668 | ; EndIf 1669 | 1670 | $IndxHeaderSize = Dec(_SwapEndian(StringMid($InputData,$LocalOffset+48,8)),2) 1671 | ; ConsoleWrite("$IndxHeaderSize: " & $IndxHeaderSize & @crlf) 1672 | If $IndxHeaderSize = 0 Or Mod($IndxHeaderSize,8) Then 1673 | _DumpOutput("Error in $IndxHeaderSize: " & $IndxHeaderSize & @crlf) 1674 | Return 0 1675 | EndIf 1676 | 1677 | $IndxRealSizeAllEntries = Dec(_SwapEndian(StringMid($InputData,$LocalOffset+56,8)),2) 1678 | ; ConsoleWrite("$IndxRealSizeAllEntries: " & $IndxRealSizeAllEntries & @crlf) 1679 | If $IndxRealSizeAllEntries = 0 Or Mod($IndxRealSizeAllEntries,8) Then 1680 | _DumpOutput("Error in $IndxRecordSize: " & $IndxRealSizeAllEntries & @crlf) 1681 | Return 0 1682 | EndIf 1683 | 1684 | $IndxAllocatedSize = Dec(_SwapEndian(StringMid($InputData,$LocalOffset+64,8)),2) 1685 | ; ConsoleWrite("$IndxAllocatedSize: " & $IndxAllocatedSize & @crlf) 1686 | If $IndxAllocatedSize = 0 Or Mod($IndxAllocatedSize,8) Then 1687 | _DumpOutput("Error in $IndxAllocatedSize: " & $IndxAllocatedSize & @crlf) 1688 | Return 0 1689 | EndIf 1690 | 1691 | $IsNotLeafNode = Dec(StringMid($InputData,$LocalOffset+72,2)) 1692 | If $IsNotLeafNode > 1 Then 1693 | _DumpOutput("Error in $IsNotLeafNode" & @crlf) 1694 | Return 0 1695 | EndIf 1696 | Local $DetectedEntries = 0 1697 | If Not ((24+$IndxHeaderSize) >= ($IndxRealSizeAllEntries+8)) Then 1698 | $FromIndxSlack = 0 1699 | ;First try normal $I30 1700 | $IndxValidationTest = _ParseCoreValidData(StringMid($InputData,$LocalOffset+48+($IndxHeaderSize*2),($IndxRealSizeAllEntries+8)*2),24+$IndxHeaderSize) 1701 | If $IndxValidationTest Then 1702 | $FromIndxSlack = 1 1703 | $DetectedEntries += $IndxValidationTest 1704 | $IndxValidationTest = _ParseCoreSlackSpace(StringMid($InputData,$LocalOffset+($IndxRealSizeAllEntries+8)*2),($IndxRealSizeAllEntries+8)*2) 1705 | $DetectedEntries += $IndxValidationTest 1706 | Else 1707 | ;Failure for $I30, so we attempt $ObjId:$O 1708 | $IndxValidationTest = _DecodeIndxContentObjIdO(StringMid($InputData,$LocalOffset+48+($IndxHeaderSize*2),($IndxRealSizeAllEntries+8)*2),24+$IndxHeaderSize) 1709 | If $IndxValidationTest Then 1710 | ;If success then try slack for $ObjId:$O 1711 | $FromIndxSlack = 1 1712 | $DetectedEntries += $IndxValidationTest 1713 | $IndxValidationTest = _DecodeSlackIndxContentObjIdO(StringMid($InputData,$LocalOffset+($IndxRealSizeAllEntries+8)*2),($IndxRealSizeAllEntries+8)*2) 1714 | $DetectedEntries += $IndxValidationTest 1715 | Else 1716 | ;Failure for both $I30 and $ObjId:$O, so we attempt $Reparse:$R 1717 | $IndxValidationTest = _Decode_Reparse_R(StringMid($InputData,$LocalOffset+48+($IndxHeaderSize*2),($IndxRealSizeAllEntries+8)*2),24+$IndxHeaderSize) 1718 | $DetectedEntries += $IndxValidationTest 1719 | EndIf 1720 | EndIf 1721 | Else 1722 | ;INDX header indicated all content was slack 1723 | $FromIndxSlack = 1 1724 | ;First try $I30 1725 | $IndxValidationTest = _ParseCoreSlackSpace(StringMid($InputData,$LocalOffset+($IndxRealSizeAllEntries+8)*2),($IndxRealSizeAllEntries+8)*2) 1726 | If Not $IndxValidationTest Then 1727 | ;Failure for $I30, so awe attempt $ObjId:$O 1728 | $DetectedEntries += $IndxValidationTest 1729 | $IndxValidationTest = _DecodeSlackIndxContentObjIdO(StringMid($InputData,$LocalOffset+($IndxRealSizeAllEntries+8)*2),($IndxRealSizeAllEntries+8)*2) 1730 | $DetectedEntries += $IndxValidationTest 1731 | EndIf 1732 | EndIf 1733 | Return $DetectedEntries 1734 | EndFunc 1735 | 1736 | Func _ApplyFixupsIndx($Entry) 1737 | ; ConsoleWrite("Starting function _StripIndxRecord()" & @crlf) 1738 | Local $LocalAttributeOffset = 1,$IndxHdrUpdateSeqArrOffset,$IndxHdrUpdateSeqArrSize,$IndxHdrUpdSeqArr,$IndxHdrUpdSeqArrPart0,$IndxHdrUpdSeqArrPart1,$IndxHdrUpdSeqArrPart2,$IndxHdrUpdSeqArrPart3,$IndxHdrUpdSeqArrPart4,$IndxHdrUpdSeqArrPart5,$IndxHdrUpdSeqArrPart6,$IndxHdrUpdSeqArrPart7;,$IndxHdrUpdSeqArrPart8 1739 | Local $IndxRecordEnd1,$IndxRecordEnd2,$IndxRecordEnd3,$IndxRecordEnd4,$IndxRecordEnd5,$IndxRecordEnd6,$IndxRecordEnd7,$IndxRecordEnd8;,$IndxRecordSize,$IndxHeaderSize,$IsNotLeafNode 1740 | ; ConsoleWrite("Unfixed INDX record:" & @crlf) 1741 | ; ConsoleWrite(_HexEncode("0x"&$Entry) & @crlf) 1742 | ; ConsoleWrite(_HexEncode("0x" & StringMid($Entry,1,4096)) & @crlf) 1743 | $IndxHdrUpdateSeqArrOffset = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+8,4))) 1744 | ; ConsoleWrite("$IndxHdrUpdateSeqArrOffset = " & $IndxHdrUpdateSeqArrOffset & @crlf) 1745 | $IndxHdrUpdateSeqArrSize = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+12,4))) 1746 | ; ConsoleWrite("$IndxHdrUpdateSeqArrSize = " & $IndxHdrUpdateSeqArrSize & @crlf) 1747 | $IndxHdrUpdSeqArr = StringMid($Entry,1+($IndxHdrUpdateSeqArrOffset*2),$IndxHdrUpdateSeqArrSize*2*2) 1748 | ; ConsoleWrite("$IndxHdrUpdSeqArr = " & $IndxHdrUpdSeqArr & @crlf) 1749 | $IndxHdrUpdSeqArrPart0 = StringMid($IndxHdrUpdSeqArr,1,4) 1750 | $IndxHdrUpdSeqArrPart1 = StringMid($IndxHdrUpdSeqArr,5,4) 1751 | $IndxHdrUpdSeqArrPart2 = StringMid($IndxHdrUpdSeqArr,9,4) 1752 | $IndxHdrUpdSeqArrPart3 = StringMid($IndxHdrUpdSeqArr,13,4) 1753 | $IndxHdrUpdSeqArrPart4 = StringMid($IndxHdrUpdSeqArr,17,4) 1754 | $IndxHdrUpdSeqArrPart5 = StringMid($IndxHdrUpdSeqArr,21,4) 1755 | $IndxHdrUpdSeqArrPart6 = StringMid($IndxHdrUpdSeqArr,25,4) 1756 | $IndxHdrUpdSeqArrPart7 = StringMid($IndxHdrUpdSeqArr,29,4) 1757 | ;$IndxHdrUpdSeqArrPart8 = StringMid($IndxHdrUpdSeqArr,33,4) 1758 | $IndxRecordEnd1 = StringMid($Entry,1021,4) 1759 | $IndxRecordEnd2 = StringMid($Entry,2045,4) 1760 | $IndxRecordEnd3 = StringMid($Entry,3069,4) 1761 | $IndxRecordEnd4 = StringMid($Entry,4093,4) 1762 | $IndxRecordEnd5 = StringMid($Entry,5117,4) 1763 | $IndxRecordEnd6 = StringMid($Entry,6141,4) 1764 | $IndxRecordEnd7 = StringMid($Entry,7165,4) 1765 | $IndxRecordEnd8 = StringMid($Entry,8189,4) 1766 | If $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd1 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd2 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd3 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd4 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd5 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd6 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd7 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd8 Then 1767 | ConsoleWrite("Error the INDX record is corrupt" & @CRLF) 1768 | Return ; Not really correct because I think in theory chunks of 1024 bytes can be invalid and not just everything or nothing for the given INDX record. 1769 | Else 1770 | $Entry = StringMid($Entry,1,1020) & $IndxHdrUpdSeqArrPart1 & StringMid($Entry,1025,1020) & $IndxHdrUpdSeqArrPart2 & StringMid($Entry,2049,1020) & $IndxHdrUpdSeqArrPart3 & StringMid($Entry,3073,1020) & $IndxHdrUpdSeqArrPart4 & StringMid($Entry,4097,1020) & $IndxHdrUpdSeqArrPart5 & StringMid($Entry,5121,1020) & $IndxHdrUpdSeqArrPart6 & StringMid($Entry,6145,1020) & $IndxHdrUpdSeqArrPart7 & StringMid($Entry,7169,1020) 1771 | EndIf 1772 | Return "0x"&$Entry 1773 | EndFunc 1774 | 1775 | Func _SwapEndian($iHex) 1776 | Return StringMid(Binary(Dec($iHex,2)),3, StringLen($iHex)) 1777 | EndFunc 1778 | 1779 | Func _HexEncode($bInput) 1780 | Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]") 1781 | DllStructSetData($tInput, 1, $bInput) 1782 | Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ 1783 | "ptr", DllStructGetPtr($tInput), _ 1784 | "dword", DllStructGetSize($tInput), _ 1785 | "dword", 11, _ 1786 | "ptr", 0, _ 1787 | "dword*", 0) 1788 | 1789 | If @error Or Not $a_iCall[0] Then 1790 | Return SetError(1, 0, "") 1791 | EndIf 1792 | Local $iSize = $a_iCall[5] 1793 | Local $tOut = DllStructCreate("char[" & $iSize & "]") 1794 | $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ 1795 | "ptr", DllStructGetPtr($tInput), _ 1796 | "dword", DllStructGetSize($tInput), _ 1797 | "dword", 11, _ 1798 | "ptr", DllStructGetPtr($tOut), _ 1799 | "dword*", $iSize) 1800 | If @error Or Not $a_iCall[0] Then 1801 | Return SetError(2, 0, "") 1802 | EndIf 1803 | Return SetError(0, 0, DllStructGetData($tOut, 1)) 1804 | EndFunc 1805 | 1806 | Func _FillZero($inp) 1807 | Local $inplen, $out, $tmp = "" 1808 | $inplen = StringLen($inp) 1809 | For $i = 1 To 4 - $inplen 1810 | $tmp &= "0" 1811 | Next 1812 | $out = $tmp & $inp 1813 | Return $out 1814 | EndFunc 1815 | 1816 | Func _File_Attributes($FAInput) 1817 | Local $FAOutput = "" 1818 | If BitAND($FAInput, 0x0001) Then $FAOutput &= 'read_only+' 1819 | If BitAND($FAInput, 0x0002) Then $FAOutput &= 'hidden+' 1820 | If BitAND($FAInput, 0x0004) Then $FAOutput &= 'system+' 1821 | If BitAND($FAInput, 0x0010) Then $FAOutput &= 'directory1+' 1822 | If BitAND($FAInput, 0x0020) Then $FAOutput &= 'archive+' 1823 | If BitAND($FAInput, 0x0040) Then $FAOutput &= 'device+' 1824 | If BitAND($FAInput, 0x0080) Then $FAOutput &= 'normal+' 1825 | If BitAND($FAInput, 0x0100) Then $FAOutput &= 'temporary+' 1826 | If BitAND($FAInput, 0x0200) Then $FAOutput &= 'sparse_file+' 1827 | If BitAND($FAInput, 0x0400) Then $FAOutput &= 'reparse_point+' 1828 | If BitAND($FAInput, 0x0800) Then $FAOutput &= 'compressed+' 1829 | If BitAND($FAInput, 0x1000) Then $FAOutput &= 'offline+' 1830 | If BitAND($FAInput, 0x2000) Then $FAOutput &= 'not_indexed+' 1831 | If BitAND($FAInput, 0x4000) Then $FAOutput &= 'encrypted+' 1832 | If BitAND($FAInput, 0x8000) Then $FAOutput &= 'integrity_stream+' 1833 | If BitAND($FAInput, 0x10000) Then $FAOutput &= 'virtual+' 1834 | If BitAND($FAInput, 0x20000) Then $FAOutput &= 'no_scrub_data+' 1835 | If BitAND($FAInput, 0x40000) Then $FAOutput &= 'ea+' 1836 | If BitAND($FAInput, 0x10000000) Then $FAOutput &= 'directory2+' 1837 | If BitAND($FAInput, 0x20000000) Then $FAOutput &= 'index_view+' 1838 | $FAOutput = StringTrimRight($FAOutput, 1) 1839 | Return $FAOutput 1840 | EndFunc 1841 | 1842 | Func _SelectFragment() 1843 | $BinaryFragment = FileOpenDialog("Select binary fragment",@ScriptDir,"All (*.*)") 1844 | If @error Then 1845 | ConsoleWrite("Error getting binary fragment." & @CRLF) 1846 | Exit 1847 | EndIf 1848 | Return $BinaryFragment 1849 | EndFunc 1850 | 1851 | Func _GetReparseType($ReparseType) 1852 | ;winnt.h 1853 | ;ntifs.h 1854 | Select 1855 | Case $ReparseType = '0x00000000' 1856 | Return 'RESERVED_ZERO' 1857 | Case $ReparseType = '0x00000001' 1858 | Return 'RESERVED_ONE' 1859 | Case $ReparseType = '0x00000002' 1860 | Return 'RESERVED_TWO' 1861 | Case $ReparseType = '0x80000005' 1862 | Return 'DRIVER_EXTENDER' 1863 | Case $ReparseType = '0x80000006' 1864 | Return 'HSM2' 1865 | Case $ReparseType = '0x80000007' 1866 | Return 'SIS' 1867 | Case $ReparseType = '0x80000008' 1868 | Return 'WIM' 1869 | Case $ReparseType = '0x80000009' 1870 | Return 'CSV' 1871 | Case $ReparseType = '0x8000000A' 1872 | Return 'DFS' 1873 | Case $ReparseType = '0x8000000B' 1874 | Return 'FILTER_MANAGER' 1875 | Case $ReparseType = '0x80000012' 1876 | Return 'DFSR' 1877 | Case $ReparseType = '0x80000013' 1878 | Return 'DEDUP' 1879 | Case $ReparseType = '0x80000014' 1880 | Return 'NFS' 1881 | Case $ReparseType = '0x80000015' 1882 | Return 'FILE_PLACEHOLDER' 1883 | Case $ReparseType = '0x80000017' 1884 | Return 'WOF' 1885 | Case $ReparseType = '0x80000018' 1886 | Return 'WCI' 1887 | Case $ReparseType = '0x80000019' 1888 | Return 'GLOBAL_REPARSE' 1889 | Case $ReparseType = '0x8000001B' 1890 | Return 'APPEXECLINK' 1891 | Case $ReparseType = '0x8000001E' 1892 | Return 'HFS' 1893 | Case $ReparseType = '0x80000020' 1894 | Return 'UNHANDLED' 1895 | Case $ReparseType = '0x80000021' 1896 | Return 'ONEDRIVE' 1897 | Case $ReparseType = '0x9000001A' 1898 | Return 'CLOUD' 1899 | Case $ReparseType = '0x9000101A' 1900 | Return 'CLOUD_ROOT' 1901 | Case $ReparseType = '0x9000201A' 1902 | Return 'CLOUD_ON_DEMAND' 1903 | Case $ReparseType = '0x9000301A' 1904 | Return 'CLOUD_ROOT_ON_DEMAND' 1905 | Case $ReparseType = '0x9000001C' 1906 | Return 'GVFS' 1907 | Case $ReparseType = '0xA0000003' 1908 | Return 'MOUNT_POINT' 1909 | Case $ReparseType = '0xA000000C' 1910 | Return 'SYMLINK' 1911 | Case $ReparseType = '0xA0000010' 1912 | Return 'IIS_CACHE' 1913 | Case $ReparseType = '0xA0000019' 1914 | Return 'GLOBAL_REPARSE' 1915 | Case $ReparseType = '0xA000001D' 1916 | Return 'LX_SYMLINK' 1917 | Case $ReparseType = '0xA000001F' 1918 | Return 'WCI_TOMBSTONE' 1919 | Case $ReparseType = '0xA0000022' 1920 | Return 'GVFS_TOMBSTONE' 1921 | Case $ReparseType = '0xC0000004' 1922 | Return 'HSM' 1923 | Case $ReparseType = '0xC0000014' 1924 | Return 'APPXSTRM' 1925 | Case Else 1926 | Return 'UNKNOWN(' & $ReparseType & ')' 1927 | EndSelect 1928 | EndFunc 1929 | 1930 | ; start: by Ascend4nt ----------------------------- 1931 | Func _WinTime_GetUTCToLocalFileTimeDelta() 1932 | Local $iUTCFileTime=864000000000 ; exactly 24 hours from the origin (although 12 hours would be more appropriate (max variance = 12)) 1933 | $iLocalFileTime=_WinTime_UTCFileTimeToLocalFileTime($iUTCFileTime) 1934 | If @error Then Return SetError(@error,@extended,-1) 1935 | Return $iLocalFileTime-$iUTCFileTime ; /36000000000 = # hours delta (effectively giving the offset in hours from UTC/GMT) 1936 | EndFunc 1937 | 1938 | Func _WinTime_UTCFileTimeToLocalFileTime($iUTCFileTime) 1939 | If $iUTCFileTime<0 Then Return SetError(1,0,-1) 1940 | Local $aRet=DllCall($_COMMON_KERNEL32DLL,"bool","FileTimeToLocalFileTime","uint64*",$iUTCFileTime,"uint64*",0) 1941 | If @error Then Return SetError(2,@error,-1) 1942 | If Not $aRet[0] Then Return SetError(3,0,-1) 1943 | Return $aRet[2] 1944 | EndFunc 1945 | 1946 | Func _WinTime_UTCFileTimeFormat($iUTCFileTime,$iFormat=4,$iPrecision=0,$bAMPMConversion=False) 1947 | ;~ If $iUTCFileTime<0 Then Return SetError(1,0,"") ; checked in below call 1948 | 1949 | ; First convert file time (UTC-based file time) to 'local file time' 1950 | Local $iLocalFileTime=_WinTime_UTCFileTimeToLocalFileTime($iUTCFileTime) 1951 | If @error Then Return SetError(@error,@extended,"") 1952 | ; Rare occassion: a filetime near the origin (January 1, 1601!!) is used, 1953 | ; causing a negative result (for some timezones). Return as invalid param. 1954 | If $iLocalFileTime<0 Then Return SetError(1,0,"") 1955 | 1956 | ; Then convert file time to a system time array & format & return it 1957 | Local $vReturn=_WinTime_LocalFileTimeFormat($iLocalFileTime,$iFormat,$iPrecision,$bAMPMConversion) 1958 | Return SetError(@error,@extended,$vReturn) 1959 | EndFunc 1960 | 1961 | Func _WinTime_LocalFileTimeFormat($iLocalFileTime,$iFormat=4,$iPrecision=0,$bAMPMConversion=False) 1962 | ;~ If $iLocalFileTime<0 Then Return SetError(1,0,"") ; checked in below call 1963 | 1964 | ; Convert file time to a system time array & return result 1965 | Local $aSysTime=_WinTime_LocalFileTimeToSystemTime($iLocalFileTime) 1966 | If @error Then Return SetError(@error,@extended,"") 1967 | 1968 | ; Return only the SystemTime array? 1969 | If $iFormat=0 Then Return $aSysTime 1970 | 1971 | Local $vReturn=_WinTime_FormatTime($aSysTime[0],$aSysTime[1],$aSysTime[2],$aSysTime[3], _ 1972 | $aSysTime[4],$aSysTime[5],$aSysTime[6],$aSysTime[7],$iFormat,$iPrecision,$bAMPMConversion) 1973 | Return SetError(@error,@extended,$vReturn) 1974 | EndFunc 1975 | 1976 | Func _WinTime_LocalFileTimeToSystemTime($iLocalFileTime) 1977 | Local $aRet,$stSysTime,$aSysTime[8]=[-1,-1,-1,-1,-1,-1,-1,-1] 1978 | 1979 | ; Negative values unacceptable 1980 | If $iLocalFileTime<0 Then Return SetError(1,0,$aSysTime) 1981 | 1982 | ; SYSTEMTIME structure [Year,Month,DayOfWeek,Day,Hour,Min,Sec,Milliseconds] 1983 | $stSysTime=DllStructCreate("ushort[8]") 1984 | 1985 | $aRet=DllCall($_COMMON_KERNEL32DLL,"bool","FileTimeToSystemTime","uint64*",$iLocalFileTime,"ptr",DllStructGetPtr($stSysTime)) 1986 | If @error Then Return SetError(2,@error,$aSysTime) 1987 | If Not $aRet[0] Then Return SetError(3,0,$aSysTime) 1988 | Dim $aSysTime[8]=[DllStructGetData($stSysTime,1,1),DllStructGetData($stSysTime,1,2),DllStructGetData($stSysTime,1,4),DllStructGetData($stSysTime,1,5), _ 1989 | DllStructGetData($stSysTime,1,6),DllStructGetData($stSysTime,1,7),DllStructGetData($stSysTime,1,8),DllStructGetData($stSysTime,1,3)] 1990 | Return $aSysTime 1991 | EndFunc 1992 | 1993 | Func _WinTime_FormatTime($iYear,$iMonth,$iDay,$iHour,$iMin,$iSec,$iMilSec,$iDayOfWeek,$iFormat=4,$iPrecision=0,$bAMPMConversion=False) 1994 | Local Static $_WT_aMonths[12]=["January","February","March","April","May","June","July","August","September","October","November","December"] 1995 | Local Static $_WT_aDays[7]=["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"] 1996 | 1997 | If Not $iFormat Or $iMonth<1 Or $iMonth>12 Or $iDayOfWeek>6 Then Return SetError(1,0,"") 1998 | 1999 | ; Pad MM,DD,HH,MM,SS,MSMSMSMS as necessary 2000 | Local $sMM=StringRight(0&$iMonth,2),$sDD=StringRight(0&$iDay,2),$sMin=StringRight(0&$iMin,2) 2001 | ; $sYY = $iYear ; (no padding) 2002 | ; [technically Year can be 1-x chars - but this is generally used for 4-digit years. And SystemTime only goes up to 30827/30828] 2003 | Local $sHH,$sSS,$sMS,$sAMPM 2004 | 2005 | ; 'Extra precision 1': +SS (Seconds) 2006 | If $iPrecision Then 2007 | $sSS=StringRight(0&$iSec,2) 2008 | ; 'Extra precision 2': +MSMSMSMS (Milliseconds) 2009 | If $iPrecision>1 Then 2010 | ; $sMS=StringRight('000'&$iMilSec,4) 2011 | $sMS=StringRight('000'&$iMilSec,3);Fixed an erronous 0 in front of the milliseconds 2012 | Else 2013 | $sMS="" 2014 | EndIf 2015 | Else 2016 | $sSS="" 2017 | $sMS="" 2018 | EndIf 2019 | If $bAMPMConversion Then 2020 | If $iHour>11 Then 2021 | $sAMPM=" PM" 2022 | ; 12 PM will cause 12-12 to equal 0, so avoid the calculation: 2023 | If $iHour=12 Then 2024 | $sHH="12" 2025 | Else 2026 | $sHH=StringRight(0&($iHour-12),2) 2027 | EndIf 2028 | Else 2029 | $sAMPM=" AM" 2030 | If $iHour Then 2031 | $sHH=StringRight(0&$iHour,2) 2032 | Else 2033 | ; 00 military = 12 AM 2034 | $sHH="12" 2035 | EndIf 2036 | EndIf 2037 | Else 2038 | $sAMPM="" 2039 | $sHH=StringRight(0 & $iHour,2) 2040 | EndIf 2041 | 2042 | Local $sDateTimeStr,$aReturnArray[3] 2043 | 2044 | ; Return an array? [formatted string + "Month" + "DayOfWeek"] 2045 | If BitAND($iFormat,0x10) Then 2046 | $aReturnArray[1]=$_WT_aMonths[$iMonth-1] 2047 | If $iDayOfWeek>=0 Then 2048 | $aReturnArray[2]=$_WT_aDays[$iDayOfWeek] 2049 | Else 2050 | $aReturnArray[2]="" 2051 | EndIf 2052 | ; Strip the 'array' bit off (array[1] will now indicate if an array is to be returned) 2053 | $iFormat=BitAND($iFormat,0xF) 2054 | Else 2055 | ; Signal to below that the array isn't to be returned 2056 | $aReturnArray[1]="" 2057 | EndIf 2058 | 2059 | ; Prefix with "DayOfWeek "? 2060 | If BitAND($iFormat,8) Then 2061 | If $iDayOfWeek<0 Then Return SetError(1,0,"") ; invalid 2062 | $sDateTimeStr=$_WT_aDays[$iDayOfWeek]&', ' 2063 | ; Strip the 'DayOfWeek' bit off 2064 | $iFormat=BitAND($iFormat,0x7) 2065 | Else 2066 | $sDateTimeStr="" 2067 | EndIf 2068 | 2069 | If $iFormat<2 Then 2070 | ; Basic String format: YYYYMMDDHHMM[SS[MSMSMSMS[ AM/PM]]] 2071 | $sDateTimeStr&=$iYear&$sMM&$sDD&$sHH&$sMin&$sSS&$sMS&$sAMPM 2072 | Else 2073 | ; one of 4 formats which ends with " HH:MM[:SS[:MSMSMSMS[ AM/PM]]]" 2074 | Switch $iFormat 2075 | ; /, : Format - MM/DD/YYYY 2076 | Case 2 2077 | $sDateTimeStr&=$sMM&'/'&$sDD&'/' 2078 | ; /, : alt. Format - DD/MM/YYYY 2079 | Case 3 2080 | $sDateTimeStr&=$sDD&'/'&$sMM&'/' 2081 | ; "Month DD, YYYY" format 2082 | Case 4 2083 | $sDateTimeStr&=$_WT_aMonths[$iMonth-1]&' '&$sDD&', ' 2084 | ; "DD Month YYYY" format 2085 | Case 5 2086 | $sDateTimeStr&=$sDD&' '&$_WT_aMonths[$iMonth-1]&' ' 2087 | Case 6 2088 | $sDateTimeStr&=$iYear&'-'&$sMM&'-'&$sDD 2089 | $iYear='' 2090 | Case Else 2091 | Return SetError(1,0,"") 2092 | EndSwitch 2093 | $sDateTimeStr&=$iYear&' '&$sHH&':'&$sMin 2094 | If $iPrecision Then 2095 | $sDateTimeStr&=':'&$sSS 2096 | ; If $iPrecision>1 Then $sDateTimeStr&=':'&$sMS 2097 | If $iPrecision>1 Then $sDateTimeStr&=$PrecisionSeparator&$sMS 2098 | EndIf 2099 | $sDateTimeStr&=$sAMPM 2100 | EndIf 2101 | If $aReturnArray[1]<>"" Then 2102 | $aReturnArray[0]=$sDateTimeStr 2103 | Return $aReturnArray 2104 | EndIf 2105 | Return $sDateTimeStr 2106 | EndFunc 2107 | ; end: by Ascend4nt ---------------------------- 2108 | 2109 | Func _ClearVar() 2110 | $RecordOffset = "" 2111 | ; $IndxLastLsn = "" 2112 | ; $FromIndxSlack = "" 2113 | $MFTReference = "" 2114 | $MFTReferenceSeqNo = "" 2115 | $IndexFlags = "" 2116 | $MFTReferenceOfParent = "" 2117 | $MFTReferenceOfParentSeqNo = "" 2118 | $Indx_CTime = "" 2119 | $Indx_ATime = "" 2120 | $Indx_MTime = "" 2121 | $Indx_RTime = "" 2122 | $Indx_AllocSize = "" 2123 | $Indx_RealSize = "" 2124 | $Indx_File_Flags = "" 2125 | $Indx_ReparseTag = "" 2126 | $Indx_FileName = "" 2127 | $Indx_NameSpace = "" 2128 | $SubNodeVCN = "" 2129 | $TextInformation = "" 2130 | EndFunc 2131 | 2132 | Func _GetInputParams() 2133 | Local $TimeZone, $OutputFormat 2134 | For $i = 1 To $cmdline[0] 2135 | ;ConsoleWrite("Param " & $i & ": " & $cmdline[$i] & @CRLF) 2136 | If StringLeft($cmdline[$i],10) = "/IndxFile:" Then $BinaryFragment = StringMid($cmdline[$i],11) 2137 | If StringLeft($cmdline[$i],12) = "/OutputPath:" Then $ParserOutDir = StringMid($cmdline[$i],13) 2138 | If StringLeft($cmdline[$i],10) = "/TimeZone:" Then $TimeZone = StringMid($cmdline[$i],11) 2139 | If StringLeft($cmdline[$i],14) = "/OutputFormat:" Then $OutputFormat = StringMid($cmdline[$i],15) 2140 | If StringLeft($cmdline[$i],11) = "/Separator:" Then $SeparatorInput = StringMid($cmdline[$i],12) 2141 | If StringLeft($cmdline[$i],15) = "/QuotationMark:" Then $checkquotes = StringMid($cmdline[$i],16) 2142 | If StringLeft($cmdline[$i],9) = "/Unicode:" Then $CheckUnicode = StringMid($cmdline[$i],10) 2143 | If StringLeft($cmdline[$i],7) = "/Slack:" Then $CheckSlack = StringMid($cmdline[$i],8) 2144 | If StringLeft($cmdline[$i],8) = "/Fixups:" Then $CheckFixups = StringMid($cmdline[$i],9) 2145 | If StringLeft($cmdline[$i],10) = "/ScanMode:" Then $ScanMode = StringMid($cmdline[$i],11) 2146 | If StringLeft($cmdline[$i],10) = "/TSFormat:" Then $DateTimeFormat = StringMid($cmdline[$i],11) 2147 | If StringLeft($cmdline[$i],13) = "/TSPrecision:" Then $TimestampPrecision = StringMid($cmdline[$i],14) 2148 | If StringLeft($cmdline[$i],22) = "/TSPrecisionSeparator:" Then $PrecisionSeparator = StringMid($cmdline[$i],23) 2149 | If StringLeft($cmdline[$i],23) = "/TSPrecisionSeparator2:" Then $PrecisionSeparator2 = StringMid($cmdline[$i],24) 2150 | If StringLeft($cmdline[$i],12) = "/TSErrorVal:" Then $TimestampErrorVal = StringMid($cmdline[$i],13) 2151 | If StringLeft($cmdline[$i],10) = "/IndxSize:" Then $INDX_Size = StringMid($cmdline[$i],11) 2152 | If StringLeft($cmdline[$i],9) = "/CleanUp:" Then $CleanUp = StringMid($cmdline[$i],10) 2153 | If StringLeft($cmdline[$i],16) = "/VerifyFragment:" Then $VerifyFragment = StringMid($cmdline[$i],17) 2154 | If StringLeft($cmdline[$i],17) = "/OutFragmentName:" Then $OutFragmentName = StringMid($cmdline[$i],18) 2155 | If StringLeft($cmdline[$i],17) = "/StrictNameCheck:" Then $StrictNameCheck = StringMid($cmdline[$i],18) 2156 | Next 2157 | 2158 | If StringLen($ScanMode) > 0 Then 2159 | If Not StringIsDigit($ScanMode) Then 2160 | ConsoleWrite("ScanMode was invalid: " & $ScanMode & @CRLF) 2161 | Exit(1) 2162 | EndIf 2163 | ; If $ScanMode > 15 Then $ScanMode = 15 2164 | Else 2165 | $ScanMode = 0 2166 | EndIf 2167 | 2168 | If StringLen($StrictNameCheck) > 0 Then 2169 | If Not StringIsDigit($StrictNameCheck) Then 2170 | ConsoleWrite("StrictNameCheck was invalid: " & $StrictNameCheck & @CRLF) 2171 | Exit(1) 2172 | EndIf 2173 | $StrictNameCheck = 1 2174 | Else 2175 | $StrictNameCheck = 0 2176 | EndIf 2177 | 2178 | If StringLen($TimeZone) > 0 Then 2179 | Select 2180 | Case $TimeZone = "-12.00" 2181 | Case $TimeZone = "-11.00" 2182 | Case $TimeZone = "-10.00" 2183 | Case $TimeZone = "-9.30" 2184 | Case $TimeZone = "-9.00" 2185 | Case $TimeZone = "-8.00" 2186 | Case $TimeZone = "-7.00" 2187 | Case $TimeZone = "-6.00" 2188 | Case $TimeZone = "-5.00" 2189 | Case $TimeZone = "-4.30" 2190 | Case $TimeZone = "-4.00" 2191 | Case $TimeZone = "-3.30" 2192 | Case $TimeZone = "-3.00" 2193 | Case $TimeZone = "-2.00" 2194 | Case $TimeZone = "-1.00" 2195 | Case $TimeZone = "0.00" 2196 | Case $TimeZone = "1.00" 2197 | Case $TimeZone = "2.00" 2198 | Case $TimeZone = "3.00" 2199 | Case $TimeZone = "3.30" 2200 | Case $TimeZone = "4.00" 2201 | Case $TimeZone = "4.30" 2202 | Case $TimeZone = "5.00" 2203 | Case $TimeZone = "5.30" 2204 | Case $TimeZone = "5.45" 2205 | Case $TimeZone = "6.00" 2206 | Case $TimeZone = "6.30" 2207 | Case $TimeZone = "7.00" 2208 | Case $TimeZone = "8.00" 2209 | Case $TimeZone = "8.45" 2210 | Case $TimeZone = "9.00" 2211 | Case $TimeZone = "9.30" 2212 | Case $TimeZone = "10.00" 2213 | Case $TimeZone = "10.30" 2214 | Case $TimeZone = "11.00" 2215 | Case $TimeZone = "11.30" 2216 | Case $TimeZone = "12.00" 2217 | Case $TimeZone = "12.45" 2218 | Case $TimeZone = "13.00" 2219 | Case $TimeZone = "14.00" 2220 | Case Else 2221 | $TimeZone = "0.00" 2222 | EndSelect 2223 | Else 2224 | $TimeZone = "0.00" 2225 | EndIf 2226 | 2227 | $tDelta = _GetUTCRegion($TimeZone)-$tDelta 2228 | If @error Then 2229 | ConsoleWrite("Error: Timezone configuration failed." & @CRLF) 2230 | Else 2231 | ;ConsoleWrite("Timestamps presented in UTC: " & $UTCconfig & @CRLF) 2232 | EndIf 2233 | $tDelta = $tDelta*-1 2234 | 2235 | If StringLen($BinaryFragment) > 0 Then 2236 | If Not FileExists($BinaryFragment) Then 2237 | ConsoleWrite("Error input INDX chunk file does not exist." & @CRLF) 2238 | Exit(1) 2239 | EndIf 2240 | ; ConsoleWrite("$BinaryFragment: " & $BinaryFragment & @CRLF) 2241 | EndIf 2242 | 2243 | If StringLen($OutputFormat) > 0 Then 2244 | If $OutputFormat = "l2t" Then $Dol2t = True 2245 | If $OutputFormat = "bodyfile" Then $DoBodyfile = True 2246 | If $OutputFormat = "all" Then $DoDefaultAll = True 2247 | If $Dol2t = False And $DoBodyfile = False Then $DoDefaultAll = True 2248 | Else 2249 | $DoDefaultAll = True 2250 | EndIf 2251 | 2252 | If StringLen($PrecisionSeparator) <> 1 Then $PrecisionSeparator = "." 2253 | If StringLen($SeparatorInput) <> 1 Then $SeparatorInput = "|" 2254 | 2255 | If StringLen($TimestampPrecision) > 0 Then 2256 | Select 2257 | Case $TimestampPrecision = "None" 2258 | ConsoleWrite("Timestamp Precision: " & $TimestampPrecision & @CRLF) 2259 | $TimestampPrecision = 1 2260 | Case $TimestampPrecision = "MilliSec" 2261 | ConsoleWrite("Timestamp Precision: " & $TimestampPrecision & @CRLF) 2262 | $TimestampPrecision = 2 2263 | Case $TimestampPrecision = "NanoSec" 2264 | ConsoleWrite("Timestamp Precision: " & $TimestampPrecision & @CRLF) 2265 | $TimestampPrecision = 3 2266 | EndSelect 2267 | Else 2268 | $TimestampPrecision = 1 2269 | EndIf 2270 | 2271 | If StringLen($DateTimeFormat) > 0 Then 2272 | If $DateTimeFormat <> 1 And $DateTimeFormat <> 2 And $DateTimeFormat <> 3 And $DateTimeFormat <> 4 And $DateTimeFormat <> 5 And $DateTimeFormat <> 6 Then 2273 | $DateTimeFormat = 6 2274 | EndIf 2275 | Else 2276 | $DateTimeFormat = 6 2277 | EndIf 2278 | 2279 | If ($DateTimeFormat = 4 Or $DateTimeFormat = 5) And ($checkl2t + $checkbodyfile > 0) Then 2280 | ConsoleWrite("Error: TSFormat can't be 4 or 5 in combination with OutputFormat l2t and bodyfile" & @CRLF) 2281 | Exit(1) 2282 | EndIf 2283 | 2284 | If StringLen($CheckSlack) > 0 Then 2285 | If $CheckSlack <> 0 And $CheckSlack <> 1 Then 2286 | ConsoleWrite("Error in slack configuration: " & $CheckSlack & @CRLF) 2287 | EndIf 2288 | $DoParseSlack = $CheckSlack 2289 | EndIf 2290 | 2291 | If StringLen($CheckFixups) > 0 Then 2292 | If $CheckFixups <> 0 And $CheckFixups <> 1 Then 2293 | ConsoleWrite("Error in fixups configuration: " & $CheckFixups & @CRLF) 2294 | EndIf 2295 | $DoFixups = $CheckFixups 2296 | EndIf 2297 | 2298 | If StringLen($VerifyFragment) > 0 Then 2299 | If $VerifyFragment <> 1 Then 2300 | $VerifyFragment = 0 2301 | EndIf 2302 | EndIf 2303 | 2304 | If StringLen($OutFragmentName) > 0 Then 2305 | If StringInStr($OutFragmentName,"\") Then 2306 | ConsoleWrite("Error: OutFragmentName must be a filename and not a path." & @CRLF) 2307 | Exit(1) 2308 | EndIf 2309 | EndIf 2310 | 2311 | If StringLen($CleanUp) > 0 Then 2312 | If $CleanUp <> 1 Then 2313 | $CleanUp = 0 2314 | EndIf 2315 | EndIf 2316 | EndFunc 2317 | 2318 | Func _DisplayInfo($DebugInfo) 2319 | GUICtrlSetData($myctredit, $DebugInfo, 1) 2320 | EndFunc 2321 | 2322 | Func _InjectTimeZoneInfo() 2323 | $Regions = "UTC: -12.00|" & _ 2324 | "UTC: -11.00|" & _ 2325 | "UTC: -10.00|" & _ 2326 | "UTC: -9.30|" & _ 2327 | "UTC: -9.00|" & _ 2328 | "UTC: -8.00|" & _ 2329 | "UTC: -7.00|" & _ 2330 | "UTC: -6.00|" & _ 2331 | "UTC: -5.00|" & _ 2332 | "UTC: -4.30|" & _ 2333 | "UTC: -4.00|" & _ 2334 | "UTC: -3.30|" & _ 2335 | "UTC: -3.00|" & _ 2336 | "UTC: -2.00|" & _ 2337 | "UTC: -1.00|" & _ 2338 | "UTC: 0.00|" & _ 2339 | "UTC: 1.00|" & _ 2340 | "UTC: 2.00|" & _ 2341 | "UTC: 3.00|" & _ 2342 | "UTC: 3.30|" & _ 2343 | "UTC: 4.00|" & _ 2344 | "UTC: 4.30|" & _ 2345 | "UTC: 5.00|" & _ 2346 | "UTC: 5.30|" & _ 2347 | "UTC: 5.45|" & _ 2348 | "UTC: 6.00|" & _ 2349 | "UTC: 6.30|" & _ 2350 | "UTC: 7.00|" & _ 2351 | "UTC: 8.00|" & _ 2352 | "UTC: 8.45|" & _ 2353 | "UTC: 9.00|" & _ 2354 | "UTC: 9.30|" & _ 2355 | "UTC: 10.00|" & _ 2356 | "UTC: 10.30|" & _ 2357 | "UTC: 11.00|" & _ 2358 | "UTC: 11.30|" & _ 2359 | "UTC: 12.00|" & _ 2360 | "UTC: 12.45|" & _ 2361 | "UTC: 13.00|" & _ 2362 | "UTC: 14.00|" 2363 | GUICtrlSetData($Combo2,$Regions,"UTC: 0.00") 2364 | EndFunc 2365 | 2366 | Func _GetUTCRegion($UTCRegion) 2367 | If $UTCRegion = "" Then Return SetError(1,0,0) 2368 | 2369 | If StringInStr($UTCRegion,"UTC:") Then 2370 | $part1 = StringMid($UTCRegion,StringInStr($UTCRegion," ")+1) 2371 | Else 2372 | $part1 = $UTCRegion 2373 | EndIf 2374 | $UTCconfig = $part1 2375 | If StringRight($part1,2) = "15" Then $part1 = StringReplace($part1,".15",".25") 2376 | If StringRight($part1,2) = "30" Then $part1 = StringReplace($part1,".30",".50") 2377 | If StringRight($part1,2) = "45" Then $part1 = StringReplace($part1,".45",".75") 2378 | $DeltaTest = $part1*36000000000 2379 | Return $DeltaTest 2380 | EndFunc 2381 | 2382 | Func _TranslateSeparator() 2383 | ; Or do it the other way around to allow setting other trickier separators, like specifying it in hex 2384 | GUICtrlSetData($SeparatorInput,StringLeft(GUICtrlRead($SeparatorInput),1)) 2385 | GUICtrlSetData($SeparatorInput2,"0x"&Hex(Asc(GUICtrlRead($SeparatorInput)),2)) 2386 | EndFunc 2387 | 2388 | Func _InjectTimestampFormat() 2389 | Local $Formats = "1|" & _ 2390 | "2|" & _ 2391 | "3|" & _ 2392 | "4|" & _ 2393 | "5|" & _ 2394 | "6|" 2395 | GUICtrlSetData($ComboTimestampFormat,$Formats,"6") 2396 | EndFunc 2397 | 2398 | Func _InjectTimestampPrecision() 2399 | Local $Precision = "None|" & _ 2400 | "MilliSec|" & _ 2401 | "NanoSec|" 2402 | GUICtrlSetData($ComboTimestampPrecision,$Precision,"NanoSec") 2403 | EndFunc 2404 | 2405 | Func _TranslateTimestamp() 2406 | Local $lPrecision,$lTimestamp,$lTimestampTmp 2407 | $DateTimeFormat = StringLeft(GUICtrlRead($ComboTimestampFormat),1) 2408 | $lPrecision = GUICtrlRead($ComboTimestampPrecision) 2409 | Select 2410 | Case $lPrecision = "None" 2411 | $TimestampPrecision = 1 2412 | Case $lPrecision = "MilliSec" 2413 | $TimestampPrecision = 2 2414 | Case $lPrecision = "NanoSec" 2415 | $TimestampPrecision = 3 2416 | EndSelect 2417 | $lTimestampTmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $ExampleTimestampVal) 2418 | $lTimestamp = _WinTime_UTCFileTimeFormat(Dec($ExampleTimestampVal,2), $DateTimeFormat, $TimestampPrecision) 2419 | If @error Then 2420 | $lTimestamp = $TimestampErrorVal 2421 | ElseIf $TimestampPrecision = 3 Then 2422 | $lTimestamp = $lTimestamp & $PrecisionSeparator2 & _FillZero(StringRight($lTimestampTmp, 4)) 2423 | EndIf 2424 | GUICtrlSetData($InputExampleTimestamp,$lTimestamp) 2425 | EndFunc 2426 | 2427 | Func _IndxProgress() 2428 | GUICtrlSetData($ProgressStatus, "Processing INDX page " & $CurrentRecord+1 & " of " & $MaxRecords & ", total entries: " & $EntryCounter) 2429 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 2430 | GUICtrlSetData($ProgressIndx, 100 * ($CurrentRecord+1) / $MaxRecords) 2431 | EndFunc 2432 | 2433 | Func _DumpOutput($text) 2434 | ConsoleWrite($text) 2435 | If $hDebugOutFile Then FileWrite($hDebugOutFile, $text) 2436 | EndFunc 2437 | 2438 | Func _ValidateCharacter($InputString) 2439 | ;ConsoleWrite("$InputString: " & $InputString & @CRLF) 2440 | $StringLength = StringLen($InputString) 2441 | For $i = 1 To $StringLength Step 4 2442 | $TestChunk = StringMid($InputString,$i,4) 2443 | $TestChunk = Dec(_SwapEndian($TestChunk),2) 2444 | If ($TestChunk > 31 And $TestChunk < 256) Then 2445 | ContinueLoop 2446 | Else 2447 | Return 0 2448 | EndIf 2449 | Next 2450 | Return 1 2451 | EndFunc 2452 | 2453 | Func _ValidateAnsiName($InputString) 2454 | ;ConsoleWrite("$InputString: " & $InputString & @CRLF) 2455 | $StringLength = StringLen($InputString) 2456 | For $i = 1 To $StringLength Step 4 2457 | $TestChunk = StringMid($InputString,$i,4) 2458 | $TestChunk = Dec(_SwapEndian($TestChunk),2) 2459 | If ($TestChunk >= 32 And $TestChunk < 127) Then 2460 | ContinueLoop 2461 | Else 2462 | Return 0 2463 | EndIf 2464 | Next 2465 | Return 1 2466 | EndFunc 2467 | 2468 | Func _ValidateWindowsFileName($InputString) 2469 | $StringLength = StringLen($InputString) 2470 | For $i = 1 To $StringLength Step 4 2471 | $TestChunk = StringMid($InputString,$i,4) 2472 | $TestChunk = Dec(_SwapEndian($TestChunk),2) 2473 | If ($TestChunk <> 47 And $TestChunk <> 92 And $TestChunk <> 58 And $TestChunk <> 42 And $TestChunk <> 63 And $TestChunk <> 34 And $TestChunk <> 60 And $TestChunk <> 62) Then 2474 | ContinueLoop 2475 | Else 2476 | Return 0 2477 | EndIf 2478 | Next 2479 | Return 1 2480 | EndFunc 2481 | 2482 | Func _ValidateCharacterAndWindowsFileName($InputString) 2483 | ;ConsoleWrite("$InputString: " & $InputString & @CRLF) 2484 | $StringLength = StringLen($InputString) 2485 | For $i = 1 To $StringLength Step 4 2486 | $TestChunk = StringMid($InputString,$i,4) 2487 | $TestChunk = Dec(_SwapEndian($TestChunk),2) 2488 | If ($TestChunk > 31 And $TestChunk < 256) Then 2489 | If ($TestChunk <> 47 And $TestChunk <> 92 And $TestChunk <> 58 And $TestChunk <> 42 And $TestChunk <> 63 And $TestChunk <> 34 And $TestChunk <> 60 And $TestChunk <> 62) Then 2490 | ContinueLoop 2491 | Else 2492 | Return 0 2493 | EndIf 2494 | ContinueLoop 2495 | Else 2496 | Return 0 2497 | EndIf 2498 | Next 2499 | Return 1 2500 | EndFunc 2501 | 2502 | Func _WriteOutputFragment() 2503 | Local $nBytes, $Offset 2504 | 2505 | $Size = BinaryLen($RebuiltFragment) 2506 | $Size2 = $Size 2507 | If Mod($Size,0x8) Then 2508 | ConsoleWrite("SizeOf $RebuiltFragment: " & $Size & @CRLF) 2509 | While 1 2510 | $RebuiltFragment &= "00" 2511 | $Size2 += 1 2512 | If Mod($Size2,0x8) = 0 Then ExitLoop 2513 | WEnd 2514 | ConsoleWrite("Corrected SizeOf $RebuiltFragment: " & $Size2 & @CRLF) 2515 | EndIf 2516 | 2517 | Local $tBuffer = DllStructCreate("byte[" & $Size2 & "]") 2518 | DllStructSetData($tBuffer,1,$RebuiltFragment) 2519 | If @error Then Return SetError(1) 2520 | Local $OutFile = $ParserOutDir & "\" & $OutFragmentName 2521 | If Not FileExists($OutFile) Then 2522 | $Offset = 0 2523 | Else 2524 | $Offset = FileGetSize($OutFile) 2525 | EndIf 2526 | Local $hFileOut = _WinAPI_CreateFile("\\.\" & $OutFile,3,6,7) 2527 | If Not $hFileOut Then Return SetError(1) 2528 | _WinAPI_SetFilePointerEx($hFileOut, $Offset, $FILE_BEGIN) 2529 | If Not _WinAPI_WriteFile($hFileOut, DllStructGetPtr($tBuffer), DllStructGetSize($tBuffer), $nBytes) Then Return SetError(1) 2530 | _WinAPI_CloseHandle($hFileOut) 2531 | EndFunc 2532 | 2533 | Func _InjectScanMode() 2534 | Local $ScanModes = "0|" & _ 2535 | "1|" & _ 2536 | "2|" & _ 2537 | "3|" & _ 2538 | "4|" & _ 2539 | "5|" & _ 2540 | "6|" & _ 2541 | "7|" & _ 2542 | "8|" & _ 2543 | "9|" & _ 2544 | "10|" & _ 2545 | "11|" & _ 2546 | "12|" & _ 2547 | "13|" & _ 2548 | "14|" & _ 2549 | "15|" 2550 | GUICtrlSetData($ComboScanMode,$ScanModes,"0") 2551 | EndFunc 2552 | 2553 | Func _DecodeIndxContentObjIdO($InputData,$FirstEntryOffset) 2554 | Local $Indx_DataOffset, $Indx_DataSize, $Indx_Padding1, $Indx_IndexEntrySize, $Indx_IndexKeySize, $Indx_Flags, $Indx_Padding2, $Indx_GUIDObjectId, $Indx_MftRef, $Indx_MftRefSeqNo 2555 | Local $Indx_GUIDBirthVolumeId, $Indx_GUIDBirthObjectId, $Indx_GUIDDomainId, $EntryCounter=0, $LocalOffset=1, $TextInformation 2556 | 2557 | ;ConsoleWrite("_DecodeIndxContentObjIdO():" & @crlf) 2558 | ;ConsoleWrite(_HexEncode("0x"&$InputData) & @crlf) 2559 | $SizeofIndxRecord = StringLen($InputData) 2560 | While 1 2561 | ;$RecordOffset = "0x" & Hex(Int($SourceFileOffset + (($LocalOffset-1)/2) + $FirstEntryOffset)) 2562 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($LocalOffset-1)/2) + $FirstEntryOffset)) 2563 | 2564 | $Indx_DataOffset = StringMid($InputData, $LocalOffset, 4) 2565 | $Indx_DataOffset = Dec(_SwapEndian($Indx_DataOffset),2) 2566 | 2567 | $Indx_DataSize = StringMid($InputData, $LocalOffset + 4, 4) 2568 | $Indx_DataSize = Dec(_SwapEndian($Indx_DataSize),2) 2569 | 2570 | If $Indx_DataOffset = 0 Or $Indx_DataSize = 0 Then 2571 | ConsoleWrite("Error: Invalid DataOffset or DataSize" & @crlf) 2572 | ;ConsoleWrite(_HexEncode("0x"&StringMid($InputData, $LocalOffset)) & @crlf) 2573 | Return $EntryCounter 2574 | EndIf 2575 | 2576 | ;Padding 4 bytes 2577 | $Indx_Padding1 = StringMid($InputData, $LocalOffset + 8, 8) 2578 | $Indx_Padding1 = Dec(_SwapEndian($Indx_Padding1),2) 2579 | If $Indx_Padding1 <> 0 Then 2580 | ConsoleWrite("Error: Invalid Padding1" & @crlf) 2581 | Return 0 2582 | EndIf 2583 | 2584 | $Indx_IndexEntrySize = StringMid($InputData, $LocalOffset + 16, 4) 2585 | $Indx_IndexEntrySize = Dec(_SwapEndian($Indx_IndexEntrySize),2) 2586 | If $Indx_IndexEntrySize = 0 Then 2587 | ConsoleWrite("Error: Invalid IndexEntrySize" & @crlf) 2588 | Return 0 2589 | EndIf 2590 | 2591 | $Indx_IndexKeySize = StringMid($InputData, $LocalOffset + 20, 4) 2592 | $Indx_IndexKeySize = Dec(_SwapEndian($Indx_IndexKeySize),2) 2593 | 2594 | ;1=Entry has subnodes, 2=Last entry 2595 | $Indx_Flags = StringMid($InputData, $LocalOffset + 24, 4) 2596 | If Dec(_SwapEndian($Indx_Flags),2) > 2 Then 2597 | ConsoleWrite("Error: Invalid Flags" & @crlf) 2598 | Return 0 2599 | EndIf 2600 | $Indx_Flags = "0x" & _SwapEndian($Indx_Flags) 2601 | 2602 | ;Padding 2 bytes 2603 | $Indx_Padding2 = StringMid($InputData, $LocalOffset + 28, 4) 2604 | $Indx_Padding2 = Dec(_SwapEndian($Indx_Padding2),2) 2605 | If $Indx_Padding2 <> 0 Then 2606 | ConsoleWrite("Error: Invalid Padding2" & @crlf) 2607 | Return 0 2608 | EndIf 2609 | 2610 | $Indx_GUIDObjectId = StringMid($InputData, $LocalOffset + 32, 32) 2611 | If $Indx_GUIDObjectId = "00000000000000000000000000000000" Then 2612 | ConsoleWrite("Error: Invalid GUIDObjectId" & @crlf) 2613 | Return 0 2614 | EndIf 2615 | 2616 | ;Decode guid 2617 | $Indx_GUIDObjectId_Version = Dec(StringMid($Indx_GUIDObjectId,15,1)) 2618 | If $Indx_GUIDObjectId_Version = 0 Or $Indx_GUIDObjectId_Version > 4 Then 2619 | ConsoleWrite("Error: Invalid ObjectId_Version: " & $Indx_GUIDObjectId_Version & @crlf) 2620 | Return 0 2621 | EndIf 2622 | $Indx_GUIDObjectId_Timestamp = StringMid($Indx_GUIDObjectId,1,14) & "0" & StringMid($Indx_GUIDObjectId,16,1) 2623 | $Indx_GUIDObjectId_TimestampDec = Dec(_SwapEndian($Indx_GUIDObjectId_Timestamp),2) 2624 | $Indx_GUIDObjectId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDObjectId_Timestamp) 2625 | $Indx_GUIDObjectId_ClockSeq = StringMid($Indx_GUIDObjectId,17,4) 2626 | $Indx_GUIDObjectId_ClockSeq = Dec($Indx_GUIDObjectId_ClockSeq) 2627 | $Indx_GUIDObjectId_Node = StringMid($Indx_GUIDObjectId,21,12) 2628 | $Indx_GUIDObjectId_Node = _DecodeMacFromGuid($Indx_GUIDObjectId_Node) 2629 | $Indx_GUIDObjectId = _HexToGuidStr($Indx_GUIDObjectId,1) 2630 | 2631 | $Indx_MftRef = StringMid($InputData, $LocalOffset + 64, 12) 2632 | $Indx_MftRef = Dec(_SwapEndian($Indx_MftRef),2) 2633 | If $Indx_MftRef = 0 Then 2634 | ConsoleWrite("Error: Invalid MftRef" & @crlf) 2635 | Return 0 2636 | EndIf 2637 | 2638 | $Indx_MftRefSeqNo = StringMid($InputData, $LocalOffset + 76, 4) 2639 | $Indx_MftRefSeqNo = Dec(_SwapEndian($Indx_MftRefSeqNo),2) 2640 | If $Indx_MftRefSeqNo = 0 Then 2641 | ConsoleWrite("Error: Invalid MftRefSeqNo" & @crlf) 2642 | Return 0 2643 | EndIf 2644 | 2645 | $Indx_GUIDBirthVolumeId = StringMid($InputData, $LocalOffset + 80, 32) 2646 | ;Decode guid 2647 | $Indx_GUIDBirthVolumeId_Version = Dec(StringMid($Indx_GUIDBirthVolumeId,15,1)) 2648 | $Indx_GUIDBirthVolumeId_Timestamp = StringMid($Indx_GUIDBirthVolumeId,1,14) & "0" & StringMid($Indx_GUIDBirthVolumeId,16,1) 2649 | $Indx_GUIDBirthVolumeId_TimestampDec = Dec(_SwapEndian($Indx_GUIDBirthVolumeId_Timestamp),2) 2650 | $Indx_GUIDBirthVolumeId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDBirthVolumeId_Timestamp) 2651 | $Indx_GUIDBirthVolumeId_ClockSeq = StringMid($Indx_GUIDBirthVolumeId,17,4) 2652 | $Indx_GUIDBirthVolumeId_ClockSeq = Dec($Indx_GUIDBirthVolumeId_ClockSeq) 2653 | $Indx_GUIDBirthVolumeId_Node = StringMid($Indx_GUIDBirthVolumeId,21,12) 2654 | $Indx_GUIDBirthVolumeId_Node = _DecodeMacFromGuid($Indx_GUIDBirthVolumeId_Node) 2655 | $Indx_GUIDBirthVolumeId = _HexToGuidStr($Indx_GUIDBirthVolumeId,1) 2656 | 2657 | $Indx_GUIDBirthObjectId = StringMid($InputData, $LocalOffset + 112, 32) 2658 | ;Decode guid 2659 | $Indx_GUIDBirthObjectId_Version = Dec(StringMid($Indx_GUIDBirthObjectId,15,1)) 2660 | $Indx_GUIDBirthObjectId_Timestamp = StringMid($Indx_GUIDBirthObjectId,1,14) & "0" & StringMid($Indx_GUIDBirthObjectId,16,1) 2661 | $Indx_GUIDBirthObjectId_TimestampDec = Dec(_SwapEndian($Indx_GUIDBirthObjectId_Timestamp),2) 2662 | $Indx_GUIDBirthObjectId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDBirthObjectId_Timestamp) 2663 | $Indx_GUIDBirthObjectId_ClockSeq = StringMid($Indx_GUIDBirthObjectId,17,4) 2664 | $Indx_GUIDBirthObjectId_ClockSeq = Dec($Indx_GUIDBirthObjectId_ClockSeq) 2665 | $Indx_GUIDBirthObjectId_Node = StringMid($Indx_GUIDBirthObjectId,21,12) 2666 | $Indx_GUIDBirthObjectId_Node = _DecodeMacFromGuid($Indx_GUIDBirthObjectId_Node) 2667 | $Indx_GUIDBirthObjectId = _HexToGuidStr($Indx_GUIDBirthObjectId,1) 2668 | 2669 | $Indx_GUIDDomainId = StringMid($InputData, $LocalOffset + 144, 32) 2670 | ;Decode guid 2671 | $Indx_GUIDDomainId_Version = Dec(StringMid($Indx_GUIDDomainId,15,1)) 2672 | $Indx_GUIDDomainId_Timestamp = StringMid($Indx_GUIDDomainId,1,14) & "0" & StringMid($Indx_GUIDDomainId,16,1) 2673 | $Indx_GUIDDomainId_TimestampDec = Dec(_SwapEndian($Indx_GUIDDomainId_Timestamp),2) 2674 | $Indx_GUIDDomainId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDDomainId_Timestamp) 2675 | $Indx_GUIDDomainId_ClockSeq = StringMid($Indx_GUIDDomainId,17,4) 2676 | $Indx_GUIDDomainId_ClockSeq = Dec($Indx_GUIDDomainId_ClockSeq) 2677 | $Indx_GUIDDomainId_Node = StringMid($Indx_GUIDDomainId,21,12) 2678 | $Indx_GUIDDomainId_Node = _DecodeMacFromGuid($Indx_GUIDDomainId_Node) 2679 | $Indx_GUIDDomainId = _HexToGuidStr($Indx_GUIDDomainId,1) 2680 | 2681 | Local $TextString 2682 | If Not $DoDefaultAll Then 2683 | $TextString &= " ObjectId:" & $Indx_GUIDObjectId 2684 | If $Indx_GUIDObjectId_Version = 1 Then 2685 | $TextString &= " ObjectId_Timestamp:" & $Indx_GUIDObjectId_Timestamp 2686 | EndIf 2687 | $TextString &= " ObjectId_Node:" & $Indx_GUIDObjectId_Node 2688 | $TextString &= " BirthVolumeId:" & $Indx_GUIDBirthVolumeId 2689 | If $Indx_GUIDBirthVolumeId_Version = 1 Then 2690 | $TextString &= " BirthVolumeId_Timestamp:" & $Indx_GUIDBirthVolumeId_Timestamp 2691 | EndIf 2692 | $TextString &= " BirthObjectId:" & $Indx_GUIDBirthObjectId 2693 | If $Indx_GUIDBirthObjectId_Version = 1 Then 2694 | $TextString &= " BirthObjectId_Timestamp:" & $Indx_GUIDBirthObjectId_Timestamp 2695 | EndIf 2696 | EndIf 2697 | If $WithQuotes Then 2698 | Select 2699 | Case $DoDefaultAll 2700 | FileWriteLine($IndxEntriesObjIdOCsvFile, '"'&$RecordOffset&'"' & $de & '"'&$IndxCurrentVcn&'"' & $de & '"'&$IsNotLeafNode&'"' & $de & '"'&$IndxLastLsn&'"' & $de & '"'&$FromIndxSlack&'"' & $de & '"'&$Indx_DataOffset&'"' & $de & '"'&$Indx_DataSize&'"' & $de & '"'&$Indx_Padding1&'"' & $de & '"'&$Indx_IndexEntrySize&'"' & $de & '"'&$Indx_IndexKeySize&'"' & $de & '"'&$Indx_Flags&'"' & $de & '"'&$Indx_Padding2&'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'&$Indx_MftRefSeqNo&'"' & $de & '"'&$Indx_GUIDObjectId&'"' & $de & '"'&$Indx_GUIDObjectId_Version&'"' & $de & '"'&$Indx_GUIDObjectId_Timestamp&'"' & $de & '"'&$Indx_GUIDObjectId_TimestampDec&'"' & $de & '"'&$Indx_GUIDObjectId_ClockSeq&'"' & $de & '"'&$Indx_GUIDObjectId_Node&'"' & $de & '"'&$Indx_GUIDBirthVolumeId&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Version&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Timestamp&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_TimestampDec&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_ClockSeq&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Node&'"' & $de & '"'&$Indx_GUIDBirthObjectId&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Version&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Timestamp&'"' & $de & '"'&$Indx_GUIDBirthObjectId_TimestampDec&'"' & $de & '"'&$Indx_GUIDBirthObjectId_ClockSeq&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Node&'"' & $de & '"'&$Indx_GUIDDomainId&'"' & $de & '"'&$Indx_GUIDDomainId_Version&'"' & $de & '"'&$Indx_GUIDDomainId_Timestamp&'"' & $de & '"'&$Indx_GUIDDomainId_TimestampDec&'"' & $de & '"'&$Indx_GUIDDomainId_ClockSeq&'"' & $de & '"'&$Indx_GUIDDomainId_Node&'"' & $de & '"'&$TextInformation&'"' & @crlf) 2701 | Case $Dol2t 2702 | FileWriteLine($IndxEntriesObjIdOCsvFile, '"'&'"'& StringLeft($Indx_GUIDObjectId_Timestamp,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_GUIDObjectId_Timestamp,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"MACB"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"ObjId:O"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 2703 | Case $DoBodyfile 2704 | FileWriteLine($IndxEntriesObjIdOCsvFile, '""' & $de & '"'& "ObjId:O" &'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'& "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & @CRLF) 2705 | EndSelect 2706 | Else 2707 | Select 2708 | Case $DoDefaultAll 2709 | FileWriteLine($IndxEntriesObjIdOCsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & $FromIndxSlack & $de & $Indx_DataOffset & $de & $Indx_DataSize & $de & $Indx_Padding1 & $de & $Indx_IndexEntrySize & $de & $Indx_IndexKeySize & $de & $Indx_Flags & $de & $Indx_Padding2 & $de & $Indx_MftRef & $de & $Indx_MftRefSeqNo & $de & $Indx_GUIDObjectId & $de & $Indx_GUIDObjectId_Version & $de & $Indx_GUIDObjectId_Timestamp & $de & $Indx_GUIDObjectId_TimestampDec & $de & $Indx_GUIDObjectId_ClockSeq & $de & $Indx_GUIDObjectId_Node & $de & $Indx_GUIDBirthVolumeId & $de & $Indx_GUIDBirthVolumeId_Version & $de & $Indx_GUIDBirthVolumeId_Timestamp & $de & $Indx_GUIDBirthVolumeId_TimestampDec & $de & $Indx_GUIDBirthVolumeId_ClockSeq & $de & $Indx_GUIDBirthVolumeId_Node & $de & $Indx_GUIDBirthObjectId & $de & $Indx_GUIDBirthObjectId_Version & $de & $Indx_GUIDBirthObjectId_Timestamp & $de & $Indx_GUIDBirthObjectId_TimestampDec & $de & $Indx_GUIDBirthObjectId_ClockSeq & $de & $Indx_GUIDBirthObjectId_Node & $de & $Indx_GUIDDomainId & $de & $Indx_GUIDDomainId_Version & $de & $Indx_GUIDDomainId_Timestamp & $de & $Indx_GUIDDomainId_TimestampDec & $de & $Indx_GUIDDomainId_ClockSeq & $de & $Indx_GUIDDomainId_Node & $de & $TextInformation & @crlf) 2710 | Case $Dol2t 2711 | FileWriteLine($IndxEntriesObjIdOCsvFile, StringLeft($Indx_GUIDObjectId_Timestamp,$CharsToGrabDate) & $de & StringMid($Indx_GUIDObjectId_Timestamp,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "MACB" & $de & "INDX" & $de & "ObjId:O" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_MftRef & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 2712 | Case $DoBodyfile 2713 | FileWriteLine($IndxEntriesObjIdOCsvFile, "" & $de & "ObjId:O" & $de & $Indx_MftRef & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & @CRLF) 2714 | EndSelect 2715 | EndIf 2716 | $EntryCounter += 1 2717 | $LocalOffset += 176 2718 | If $LocalOffset >= $SizeofIndxRecord Then 2719 | Return $EntryCounter 2720 | EndIf 2721 | WEnd 2722 | Return 1 2723 | EndFunc 2724 | 2725 | Func _DecodeSlackIndxContentObjIdO($InputData,$FirstEntryOffset) 2726 | Local $Indx_DataOffset, $Indx_DataSize, $Indx_Padding1, $Indx_IndexEntrySize, $Indx_IndexKeySize, $Indx_Flags, $Indx_Padding2, $Indx_GUIDObjectId, $Indx_MftRef, $Indx_MftRefSeqNo 2727 | Local $Indx_GUIDBirthVolumeId, $Indx_GUIDBirthObjectId, $Indx_GUIDDomainId, $EntryCounter=0, $LocalOffset=1, $TextInformation, $NullGuid = "{00000000-0000-0000-0000-000000000000}" 2728 | Local $IndxLastLsn = -1, $RegExPatternHexNotFourNulls = "[0]{4}", $GuidProbablyBad=0 2729 | 2730 | ;ConsoleWrite("_DecodeSlackIndxContentObjIdO():" & @crlf) 2731 | ;ConsoleWrite(_HexEncode("0x"&$InputData) & @crlf) 2732 | $SizeofIndxRecord = StringLen($InputData) 2733 | While 1 2734 | $TextInformation = "" 2735 | $GuidProbablyBad = 0 2736 | 2737 | If $LocalOffset + 176 >= $SizeofIndxRecord Then 2738 | Return $EntryCounter 2739 | EndIf 2740 | 2741 | ;$RecordOffset = "0x" & Hex(Int($SourceFileOffset + (($LocalOffset-1)/2) + $FirstEntryOffset)) 2742 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($LocalOffset-1)/2) + $FirstEntryOffset)) 2743 | 2744 | $Indx_DataOffset = StringMid($InputData, $LocalOffset, 4) 2745 | $Indx_DataOffset = Dec(_SwapEndian($Indx_DataOffset),2) 2746 | 2747 | $Indx_DataSize = StringMid($InputData, $LocalOffset + 4, 4) 2748 | $Indx_DataSize = Dec(_SwapEndian($Indx_DataSize),2) 2749 | 2750 | ; If $Indx_DataOffset = 0 Or $Indx_DataSize = 0 Then 2751 | ; ConsoleWrite("Error: Invalid DataOffset or DataSize" & @crlf) 2752 | ;ConsoleWrite(_HexEncode("0x"&StringMid($InputData, $LocalOffset)) & @crlf) 2753 | ; Return $EntryCounter 2754 | ; EndIf 2755 | 2756 | ;Padding 4 bytes 2757 | $Indx_Padding1 = StringMid($InputData, $LocalOffset + 8, 8) 2758 | $Indx_Padding1 = Dec(_SwapEndian($Indx_Padding1),2) 2759 | ; If $Indx_Padding1 <> 0 Then 2760 | ; ConsoleWrite("Error: Invalid Padding1" & @crlf) 2761 | ; Return 0 2762 | ; EndIf 2763 | 2764 | $Indx_IndexEntrySize = StringMid($InputData, $LocalOffset + 16, 4) 2765 | $Indx_IndexEntrySize = Dec(_SwapEndian($Indx_IndexEntrySize),2) 2766 | ; If $Indx_IndexEntrySize = 0 Then 2767 | ; ConsoleWrite("Error: Invalid IndexEntrySize" & @crlf) 2768 | ; Return 0 2769 | ; EndIf 2770 | 2771 | $Indx_IndexKeySize = StringMid($InputData, $LocalOffset + 20, 4) 2772 | $Indx_IndexKeySize = Dec(_SwapEndian($Indx_IndexKeySize),2) 2773 | 2774 | ;1=Entry has subnodes, 2=Last entry 2775 | $Indx_Flags = StringMid($InputData, $LocalOffset + 24, 4) 2776 | $Indx_Flags = "0x" & _SwapEndian($Indx_Flags) 2777 | ; If $Indx_Flags > 0x0002 Then 2778 | ; ConsoleWrite("Error: Invalid Flags" & @crlf) 2779 | ; Return 0 2780 | ; EndIf 2781 | 2782 | 2783 | ;Padding 2 bytes 2784 | $Indx_Padding2 = StringMid($InputData, $LocalOffset + 28, 4) 2785 | $Indx_Padding2 = Dec(_SwapEndian($Indx_Padding2),2) 2786 | ; If $Indx_Padding2 <> 0 Then 2787 | ; ConsoleWrite("Error: Invalid Padding2" & @crlf) 2788 | ; Return 0 2789 | ; EndIf 2790 | 2791 | $Indx_GUIDObjectId = StringMid($InputData, $LocalOffset + 32, 32) 2792 | ; If $Indx_GUIDObjectId = "00000000000000000000000000000000" Then 2793 | ; ConsoleWrite("Error: Invalid GUIDObjectId" & @crlf) 2794 | ; Return 0 2795 | ; EndIf 2796 | If StringRegExp($Indx_GUIDObjectId,$RegExPatternHexNotFourNulls) Then 2797 | $GuidProbablyBad = 1 2798 | Else 2799 | $GuidProbablyBad = 0 2800 | EndIf 2801 | ;Decode guid 2802 | $Indx_GUIDObjectId_Version = Dec(StringMid($Indx_GUIDObjectId,15,1)) 2803 | $Indx_GUIDObjectId_Timestamp = StringMid($Indx_GUIDObjectId,1,14) & "0" & StringMid($Indx_GUIDObjectId,16,1) 2804 | $Indx_GUIDObjectId_TimestampDec = Dec(_SwapEndian($Indx_GUIDObjectId_Timestamp),2) 2805 | $Indx_GUIDObjectId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDObjectId_Timestamp) 2806 | $Indx_GUIDObjectId_ClockSeq = StringMid($Indx_GUIDObjectId,17,4) 2807 | $Indx_GUIDObjectId_ClockSeq = Dec($Indx_GUIDObjectId_ClockSeq) 2808 | $Indx_GUIDObjectId_Node = StringMid($Indx_GUIDObjectId,21,12) 2809 | $Indx_GUIDObjectId_Node = _DecodeMacFromGuid($Indx_GUIDObjectId_Node) 2810 | $Indx_GUIDObjectId = _HexToGuidStr($Indx_GUIDObjectId,1) 2811 | 2812 | $Indx_MftRef = StringMid($InputData, $LocalOffset + 64, 12) 2813 | $Indx_MftRef = Dec(_SwapEndian($Indx_MftRef),2) 2814 | ; If $Indx_MftRef = 0 Then 2815 | ; ConsoleWrite("Error: Invalid MftRef" & @crlf) 2816 | ; Return 0 2817 | ; EndIf 2818 | 2819 | $Indx_MftRefSeqNo = StringMid($InputData, $LocalOffset + 76, 4) 2820 | $Indx_MftRefSeqNo = Dec(_SwapEndian($Indx_MftRefSeqNo),2) 2821 | ; If $Indx_MftRefSeqNo = 0 Then 2822 | ; ConsoleWrite("Error: Invalid MftRefSeqNo" & @crlf) 2823 | ; Return 0 2824 | ; EndIf 2825 | 2826 | $Indx_GUIDBirthVolumeId = StringMid($InputData, $LocalOffset + 80, 32) 2827 | ;Decode guid 2828 | $Indx_GUIDBirthVolumeId_Version = Dec(StringMid($Indx_GUIDBirthVolumeId,15,1)) 2829 | $Indx_GUIDBirthVolumeId_Timestamp = StringMid($Indx_GUIDBirthVolumeId,1,14) & "0" & StringMid($Indx_GUIDBirthVolumeId,16,1) 2830 | $Indx_GUIDBirthVolumeId_TimestampDec = Dec(_SwapEndian($Indx_GUIDBirthVolumeId_Timestamp),2) 2831 | $Indx_GUIDBirthVolumeId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDBirthVolumeId_Timestamp) 2832 | $Indx_GUIDBirthVolumeId_ClockSeq = StringMid($Indx_GUIDBirthVolumeId,17,4) 2833 | $Indx_GUIDBirthVolumeId_ClockSeq = Dec($Indx_GUIDBirthVolumeId_ClockSeq) 2834 | $Indx_GUIDBirthVolumeId_Node = StringMid($Indx_GUIDBirthVolumeId,21,12) 2835 | $Indx_GUIDBirthVolumeId_Node = _DecodeMacFromGuid($Indx_GUIDBirthVolumeId_Node) 2836 | $Indx_GUIDBirthVolumeId = _HexToGuidStr($Indx_GUIDBirthVolumeId,1) 2837 | 2838 | $Indx_GUIDBirthObjectId = StringMid($InputData, $LocalOffset + 112, 32) 2839 | ;Decode guid 2840 | $Indx_GUIDBirthObjectId_Version = Dec(StringMid($Indx_GUIDBirthObjectId,15,1)) 2841 | $Indx_GUIDBirthObjectId_Timestamp = StringMid($Indx_GUIDBirthObjectId,1,14) & "0" & StringMid($Indx_GUIDBirthObjectId,16,1) 2842 | $Indx_GUIDBirthObjectId_TimestampDec = Dec(_SwapEndian($Indx_GUIDBirthObjectId_Timestamp),2) 2843 | $Indx_GUIDBirthObjectId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDBirthObjectId_Timestamp) 2844 | $Indx_GUIDBirthObjectId_ClockSeq = StringMid($Indx_GUIDBirthObjectId,17,4) 2845 | $Indx_GUIDBirthObjectId_ClockSeq = Dec($Indx_GUIDBirthObjectId_ClockSeq) 2846 | $Indx_GUIDBirthObjectId_Node = StringMid($Indx_GUIDBirthObjectId,21,12) 2847 | $Indx_GUIDBirthObjectId_Node = _DecodeMacFromGuid($Indx_GUIDBirthObjectId_Node) 2848 | $Indx_GUIDBirthObjectId = _HexToGuidStr($Indx_GUIDBirthObjectId,1) 2849 | 2850 | $Indx_GUIDDomainId = StringMid($InputData, $LocalOffset + 144, 32) 2851 | ;Decode guid 2852 | $Indx_GUIDDomainId_Version = Dec(StringMid($Indx_GUIDDomainId,15,1)) 2853 | $Indx_GUIDDomainId_Timestamp = StringMid($Indx_GUIDDomainId,1,14) & "0" & StringMid($Indx_GUIDDomainId,16,1) 2854 | $Indx_GUIDDomainId_TimestampDec = Dec(_SwapEndian($Indx_GUIDDomainId_Timestamp),2) 2855 | $Indx_GUIDDomainId_Timestamp = _DecodeTimestampFromGuid($Indx_GUIDDomainId_Timestamp) 2856 | $Indx_GUIDDomainId_ClockSeq = StringMid($Indx_GUIDDomainId,17,4) 2857 | $Indx_GUIDDomainId_ClockSeq = Dec($Indx_GUIDDomainId_ClockSeq) 2858 | $Indx_GUIDDomainId_Node = StringMid($Indx_GUIDDomainId,21,12) 2859 | $Indx_GUIDDomainId_Node = _DecodeMacFromGuid($Indx_GUIDDomainId_Node) 2860 | $Indx_GUIDDomainId = _HexToGuidStr($Indx_GUIDDomainId,1) 2861 | 2862 | If $LocalOffset > 352 And $EntryCounter = 0 Then 2863 | ;This INDX is most likely not $O. 2864 | Return 0 2865 | EndIf 2866 | 2867 | If $LocalOffset >= $SizeofIndxRecord Then 2868 | Return $EntryCounter 2869 | EndIf 2870 | 2871 | Local $TextString 2872 | 2873 | If Mod($Indx_DataOffset,8) = 0 And $Indx_DataOffset < 64 And Mod($Indx_DataSize,8) = 0 And $Indx_DataSize < 128 And $Indx_Padding1 = 0 And Mod($Indx_IndexEntrySize,8) = 0 And $Indx_IndexEntrySize < 128 And Mod($Indx_IndexKeySize,16) = 0 And $Indx_IndexKeySize < 17 And $Indx_Flags < 0x0003 And $Indx_Padding2 = 0 And $Indx_GUIDObjectId <> $NullGuid And $GuidProbablyBad = 0 And $Indx_MftRef > 0 And $Indx_MftRefSeqNo > 0 Then 2874 | ;If $Indx_DataOffset = 0 Then $TextInformation &= ";DataOffset" 2875 | ;If $Indx_DataSize = 0 Then $TextInformation &= ";DataSize" 2876 | ;If $Indx_Padding1 > 0 Then $TextInformation &= ";Padding1" 2877 | ;If $Indx_IndexEntrySize = 0 Then $TextInformation &= ";IndexEntrySize" 2878 | ;If $Indx_IndexKeySize = 0 Then $TextInformation &= ";IndexKeySize" 2879 | 2880 | If Not $DoDefaultAll Then 2881 | $TextString &= " ObjectId:" & $Indx_GUIDObjectId 2882 | If $Indx_GUIDObjectId_Version = 1 Then 2883 | $TextString &= " ObjectId_Timestamp:" & $Indx_GUIDObjectId_Timestamp 2884 | EndIf 2885 | $TextString &= " ObjectId_Node:" & $Indx_GUIDObjectId_Node 2886 | $TextString &= " BirthVolumeId:" & $Indx_GUIDBirthVolumeId 2887 | If $Indx_GUIDBirthVolumeId_Version = 1 Then 2888 | $TextString &= " BirthVolumeId_Timestamp:" & $Indx_GUIDBirthVolumeId_Timestamp 2889 | EndIf 2890 | $TextString &= " BirthObjectId:" & $Indx_GUIDBirthObjectId 2891 | If $Indx_GUIDBirthObjectId_Version = 1 Then 2892 | $TextString &= " BirthObjectId_Timestamp:" & $Indx_GUIDBirthObjectId_Timestamp 2893 | EndIf 2894 | EndIf 2895 | If $WithQuotes Then 2896 | Select 2897 | Case $DoDefaultAll 2898 | FileWriteLine($IndxEntriesObjIdOCsvFile, '"'&$RecordOffset&'"' & $de & '"'&$IndxCurrentVcn&'"' & $de & '"'&$IsNotLeafNode&'"' & $de & '"'&$IndxLastLsn&'"' & $de & '"'&$FromIndxSlack&'"' & $de & '"'&$Indx_DataOffset&'"' & $de & '"'&$Indx_DataSize&'"' & $de & '"'&$Indx_Padding1&'"' & $de & '"'&$Indx_IndexEntrySize&'"' & $de & '"'&$Indx_IndexKeySize&'"' & $de & '"'&$Indx_Flags&'"' & $de & '"'&$Indx_Padding2&'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'&$Indx_MftRefSeqNo&'"' & $de & '"'&$Indx_GUIDObjectId&'"' & $de & '"'&$Indx_GUIDObjectId_Version&'"' & $de & '"'&$Indx_GUIDObjectId_Timestamp&'"' & $de & '"'&$Indx_GUIDObjectId_TimestampDec&'"' & $de & '"'&$Indx_GUIDObjectId_ClockSeq&'"' & $de & '"'&$Indx_GUIDObjectId_Node&'"' & $de & '"'&$Indx_GUIDBirthVolumeId&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Version&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Timestamp&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_TimestampDec&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_ClockSeq&'"' & $de & '"'&$Indx_GUIDBirthVolumeId_Node&'"' & $de & '"'&$Indx_GUIDBirthObjectId&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Version&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Timestamp&'"' & $de & '"'&$Indx_GUIDBirthObjectId_TimestampDec&'"' & $de & '"'&$Indx_GUIDBirthObjectId_ClockSeq&'"' & $de & '"'&$Indx_GUIDBirthObjectId_Node&'"' & $de & '"'&$Indx_GUIDDomainId&'"' & $de & '"'&$Indx_GUIDDomainId_Version&'"' & $de & '"'&$Indx_GUIDDomainId_Timestamp&'"' & $de & '"'&$Indx_GUIDDomainId_TimestampDec&'"' & $de & '"'&$Indx_GUIDDomainId_ClockSeq&'"' & $de & '"'&$Indx_GUIDDomainId_Node&'"' & $de & '"'&$TextInformation&'"' & @crlf) 2899 | Case $Dol2t 2900 | FileWriteLine($IndxEntriesObjIdOCsvFile, '"'&'"'& StringLeft($Indx_GUIDObjectId_Timestamp,$CharsToGrabDate) &'"' & $de & '"'& StringMid($Indx_GUIDObjectId_Timestamp,$CharStartTime,$CharsToGrabTime) &'"' & $de & '"'& $UTCconfig &'"' & $de & '"'&"MACB"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"ObjId:O"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'&"Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString&'"' & $de & '""' & $de & '""' & @CRLF) 2901 | Case $DoBodyfile 2902 | FileWriteLine($IndxEntriesObjIdOCsvFile, '""' & $de & '"'& "ObjId:O" &'"' & $de & '"'&$Indx_MftRef&'"' & $de & '"'& "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & @CRLF) 2903 | EndSelect 2904 | Else 2905 | Select 2906 | Case $DoDefaultAll 2907 | FileWriteLine($IndxEntriesObjIdOCsvFile, $RecordOffset & $de & $IndxCurrentVcn & $de & $IsNotLeafNode & $de & $IndxLastLsn & $de & $FromIndxSlack & $de & $Indx_DataOffset & $de & $Indx_DataSize & $de & $Indx_Padding1 & $de & $Indx_IndexEntrySize & $de & $Indx_IndexKeySize & $de & $Indx_Flags & $de & $Indx_Padding2 & $de & $Indx_MftRef & $de & $Indx_MftRefSeqNo & $de & $Indx_GUIDObjectId & $de & $Indx_GUIDObjectId_Version & $de & $Indx_GUIDObjectId_Timestamp & $de & $Indx_GUIDObjectId_TimestampDec & $de & $Indx_GUIDObjectId_ClockSeq & $de & $Indx_GUIDObjectId_Node & $de & $Indx_GUIDBirthVolumeId & $de & $Indx_GUIDBirthVolumeId_Version & $de & $Indx_GUIDBirthVolumeId_Timestamp & $de & $Indx_GUIDBirthVolumeId_TimestampDec & $de & $Indx_GUIDBirthVolumeId_ClockSeq & $de & $Indx_GUIDBirthVolumeId_Node & $de & $Indx_GUIDBirthObjectId & $de & $Indx_GUIDBirthObjectId_Version & $de & $Indx_GUIDBirthObjectId_Timestamp & $de & $Indx_GUIDBirthObjectId_TimestampDec & $de & $Indx_GUIDBirthObjectId_ClockSeq & $de & $Indx_GUIDBirthObjectId_Node & $de & $Indx_GUIDDomainId & $de & $Indx_GUIDDomainId_Version & $de & $Indx_GUIDDomainId_Timestamp & $de & $Indx_GUIDDomainId_TimestampDec & $de & $Indx_GUIDDomainId_ClockSeq & $de & $Indx_GUIDDomainId_Node & $de & $TextInformation & @crlf) 2908 | Case $Dol2t 2909 | FileWriteLine($IndxEntriesObjIdOCsvFile, StringLeft($Indx_GUIDObjectId_Timestamp,$CharsToGrabDate) & $de & StringMid($Indx_GUIDObjectId_Timestamp,$CharStartTime,$CharsToGrabTime) & $de & $UTCconfig & $de & "MACB" & $de & "INDX" & $de & "ObjId:O" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $Indx_MftRef & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString & $de & "" & $de & "" & @CRLF) 2910 | Case $DoBodyfile 2911 | FileWriteLine($IndxEntriesObjIdOCsvFile, "" & $de & "ObjId:O" & $de & $Indx_MftRef & $de & "Offset:"&$RecordOffset&" Slack:" & $FromIndxSlack & " MftRef:"&$Indx_MftRef&" MftRefSeqNo:"&$Indx_MftRefSeqNo & $TextString & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & @CRLF) 2912 | EndSelect 2913 | EndIf 2914 | $EntryCounter += 1 2915 | ;We can jump by fixed size since all entries in this index are of fixed size. In $I30 this is different because filename length varies. 2916 | $LocalOffset += 176 2917 | Else 2918 | $LocalOffset += 2 2919 | EndIf 2920 | 2921 | WEnd 2922 | Return 1 2923 | EndFunc 2924 | 2925 | Func _HexToGuidStr($input,$mode) 2926 | ;{4b-2b-2b-2b-6b} 2927 | Local $OutStr 2928 | If Not StringLen($input) = 32 Then Return $input 2929 | If $mode Then $OutStr = "{" 2930 | $OutStr &= _SwapEndian(StringMid($input,1,8)) & "-" 2931 | $OutStr &= _SwapEndian(StringMid($input,9,4)) & "-" 2932 | $OutStr &= _SwapEndian(StringMid($input,13,4)) & "-" 2933 | $OutStr &= StringMid($input,17,4) & "-" 2934 | $OutStr &= StringMid($input,21,12) 2935 | If $mode Then $OutStr &= "}" 2936 | Return $OutStr 2937 | EndFunc 2938 | 2939 | Func _WriteIndxObjIdOModuleCsvHeader() 2940 | Local $a 2941 | If $WithQuotes Then 2942 | $a = '"' 2943 | Else 2944 | $a = "" 2945 | EndIf 2946 | If $DoDefaultAll Then 2947 | $Indx_Csv_Header = $a&"Offset"&$a&$de&$a&"Vcn"&$a&$de&$a&"IsNotLeaf"&$a&$de&$a&"LastLsn"&$a&$de&$a&"FromIndxSlack"&$a&$de&$a&"DataOffset"&$a&$de&$a&"DataSize"&$a&$de&$a&"Padding1"&$a&$de&$a&"IndexEntrySize"&$a&$de&$a&"IndexKeySize"&$a&$de&$a&"Flags"&$a&$de&$a&"Padding2"&$a&$de&$a&"MftRef"&$a&$de&$a&"MftRefSeqNo"&$a&$de&$a&"ObjectId"&$a&$de&$a&"ObjectId_Version"&$a&$de&$a&"ObjectId_Timestamp"&$a&$de&$a&"ObjectId_TimestampDec"&$a&$de&$a&"ObjectId_ClockSeq"&$a&$de&$a&"ObjectId_Node"&$a&$de&$a&"BirthVolumeId"&$a&$de&$a&"BirthVolumeId_Version"&$a&$de&$a&"BirthVolumeId_Timestamp"&$a&$de&$a&"BirthVolumeId_TimestampDec"&$a&$de&$a&"BirthVolumeId_ClockSeq"&$a&$de&$a&"BirthVolumeId_Node"&$a&$de&$a&"BirthObjectId"&$a&$de&$a&"BirthObjectId_Version"&$a&$de&$a&"BirthObjectId_Timestamp"&$a&$de&$a&"BirthObjectId_TimestampDec"&$a&$de&$a&"BirthObjectId_ClockSeq"&$a&$de&$a&"BirthObjectId_Node"&$a&$de&$a&"DomainId"&$a&$de&$a&"DomainId_Version"&$a&$de&$a&"DomainId_Timestamp"&$a&$de&$a&"DomainId_TimestampDec"&$a&$de&$a&"DomainId_ClockSeq"&$a&$de&$a&"DomainId_Node"&$a&$de&$a&"TextInformation"&$a 2948 | ElseIf $Dol2t Then 2949 | $Indx_Csv_Header = $a&"Date"&$a&$de&$a&"Time"&$a&$de&$a&"Timezone"&$a&$de&$a&"MACB"&$a&$de&$a&"Source"&$a&$de&$a&"SourceType"&$a&$de&$a&"Type"&$a&$de&$a&"User"&$a&$de&$a&"Host"&$a&$de&$a&"Short"&$a&$de&$a&"Desc"&$a&$de&$a&"Version"&$a&$de&$a&"Filename"&$a&$de&$a&"Inode"&$a&$de&$a&"Notes"&$a&$de&$a&"Format"&$a&$de&$a&"Extra"&$a 2950 | ElseIf $DoBodyfile Then 2951 | $Indx_Csv_Header = $a&"MD5"&$a&$de&$a&"name"&$a&$de&$a&"inode"&$a&$de&$a&"mode_as_string"&$a&$de&$a&"UID"&$a&$de&$a&"GID"&$a&$de&$a&"size"&$a&$de&$a&"atime"&$a&$de&$a&"mtime"&$a&$de&$a&"ctime"&$a&$de&$a&"crtime"&$a 2952 | EndIf 2953 | FileWriteLine($IndxEntriesObjIdOCsvFile, $Indx_Csv_Header & @CRLF) 2954 | EndFunc 2955 | 2956 | Func _DecodeMacFromGuid($Input) 2957 | If StringLen($Input) <> 12 Then Return SetError(1) 2958 | Local $Mac = StringMid($Input,1,2) & "-" & StringMid($Input,3,2) & "-" & StringMid($Input,5,2) & "-" & StringMid($Input,7,2) & "-" & StringMid($Input,9,2) & "-" & StringMid($Input,11,2) 2959 | Return $Mac 2960 | EndFunc 2961 | 2962 | Func _DecodeTimestampFromGuid($StampDecode) 2963 | $StampDecode = _SwapEndian($StampDecode) 2964 | $StampDecode_tmp = _WinTime_UTCFileTimeToLocalFileTime("0x" & $StampDecode) 2965 | $StampDecode = _WinTime_UTCFileTimeFormat(Dec($StampDecode,2) - $tDelta - $TimeDiff, $DateTimeFormat, $TimestampPrecision) 2966 | If @error Then 2967 | $StampDecode = $TimestampErrorVal 2968 | ElseIf $TimestampPrecision = 3 Then 2969 | $StampDecode = $StampDecode & $PrecisionSeparator2 & _FillZero(StringRight($StampDecode_tmp, 4)) 2970 | EndIf 2971 | Return $StampDecode 2972 | EndFunc 2973 | 2974 | Func _Decode_Reparse_R($InputData, $FirstEntryOffset) 2975 | Local $EntryCounter=0 2976 | $StartOffset = 1 2977 | $InputDataSize = StringLen($InputData) 2978 | 2979 | ;ConsoleWrite("_Decode_Reparse_R():" & @CRLF) 2980 | ;ConsoleWrite(_HexEncode("0x"&$InputData) & @CRLF) 2981 | 2982 | Do 2983 | $RecordOffset = "0x" & Hex(Int($CurrentFileOffset + (($StartOffset-1)/2) + $FirstEntryOffset)) 2984 | 2985 | $DataOffset = StringMid($InputData, $StartOffset, 4) 2986 | $DataOffset = Dec(_SwapEndian($DataOffset),2) 2987 | 2988 | $DataSize = StringMid($InputData, $StartOffset + 4, 4) 2989 | $DataSize = Dec(_SwapEndian($DataSize),2) 2990 | 2991 | If $DataOffset = 0 Then 2992 | ConsoleWrite("Error: Invalid DataOffset" & @crlf) 2993 | ;ConsoleWrite(_HexEncode("0x"&StringMid($InputData, $StartOffset)) & @crlf) 2994 | Return $EntryCounter 2995 | EndIf 2996 | 2997 | ;Padding 4 bytes 2998 | $Padding1 = StringMid($InputData, $StartOffset + 8, 8) 2999 | $Padding1 = Dec(_SwapEndian($Padding1),2) 3000 | If $Padding1 <> 0 Then 3001 | ConsoleWrite("Error: Invalid Padding1" & @crlf) 3002 | Return $EntryCounter 3003 | EndIf 3004 | 3005 | $IndexEntrySize = StringMid($InputData, $StartOffset + 16, 4) 3006 | $IndexEntrySize = Dec(_SwapEndian($IndexEntrySize),2) 3007 | If $IndexEntrySize = 0 Then ExitLoop 3008 | 3009 | $IndexKeySize = StringMid($InputData, $StartOffset + 20, 4) 3010 | $IndexKeySize = Dec(_SwapEndian($IndexKeySize),2) 3011 | 3012 | $Flags = StringMid($InputData, $StartOffset + 24, 4) 3013 | ; If Dec(_SwapEndian($Flags),2) > 2 Then 3014 | ; ConsoleWrite("Error: Invalid Flags" & @crlf) 3015 | ; Return 0 3016 | ; EndIf 3017 | $Flags = "0x" & _SwapEndian($Flags) 3018 | 3019 | ;Padding 2 bytes 3020 | $Padding2 = StringMid($InputData, $StartOffset + 28, 4) 3021 | $Padding2 = Dec(_SwapEndian($Padding2),2) 3022 | If $Padding2 <> 0 Then 3023 | ConsoleWrite("Error: Invalid Padding2" & @crlf) 3024 | Return $EntryCounter 3025 | EndIf 3026 | 3027 | $KeyReparseTag = StringMid($InputData, $StartOffset + 32, 8) 3028 | $KeyReparseTag = "0x" & _SwapEndian($KeyReparseTag) 3029 | $KeyReparseTag = _GetReparseType($KeyReparseTag) 3030 | If StringInStr($KeyReparseTag, "UNKNOWN") Then 3031 | ConsoleWrite("Error: Invalid KeyReparseTag: " & $KeyReparseTag & @crlf) 3032 | Return $EntryCounter 3033 | EndIf 3034 | 3035 | $KeyMftRefOfReparsePoint = StringMid($InputData, $StartOffset + 40, 12) 3036 | $KeyMftRefOfReparsePoint = Dec(_SwapEndian($KeyMftRefOfReparsePoint),2) 3037 | If $KeyMftRefOfReparsePoint = 0 Then 3038 | ConsoleWrite("Error: Invalid MftRef: " & $KeyMftRefOfReparsePoint & @crlf) 3039 | Return $EntryCounter 3040 | EndIf 3041 | 3042 | $KeyMftRefSeqNoOfReparsePoint = StringMid($InputData, $StartOffset + 52, 4) 3043 | $KeyMftRefSeqNoOfReparsePoint = Dec(_SwapEndian($KeyMftRefSeqNoOfReparsePoint),2) 3044 | If $KeyMftRefSeqNoOfReparsePoint = 0x0 Or $KeyMftRefSeqNoOfReparsePoint = 0xFFFF Then 3045 | ConsoleWrite("Error: Invalid MftRefSeqNo: " & $KeyMftRefSeqNoOfReparsePoint & @crlf) 3046 | Return $EntryCounter 3047 | EndIf 3048 | #cs 3049 | ConsoleWrite(@CRLF) 3050 | ConsoleWrite(_HexEncode("0x"&StringMid($InputData, $StartOffset, $IndexEntrySize*2)) & @CRLF) 3051 | ConsoleWrite("$EntryCounter: " & $EntryCounter & @CRLF) 3052 | ConsoleWrite("$DataOffset: " & $DataOffset & @CRLF) 3053 | ConsoleWrite("$DataSize: " & $DataSize & @CRLF) 3054 | ConsoleWrite("$IndexEntrySize: " & $IndexEntrySize & @CRLF) 3055 | ConsoleWrite("$IndexKeySize: " & $IndexKeySize & @CRLF) 3056 | ConsoleWrite("$Flags: " & $Flags & @CRLF) 3057 | ConsoleWrite("$KeyReparseTag: " & $KeyReparseTag & @CRLF) 3058 | ConsoleWrite("$KeyMftRefOfReparsePoint: " & $KeyMftRefOfReparsePoint & @CRLF) 3059 | ConsoleWrite("$KeyMftRefSeqNoOfReparsePoint: " & $KeyMftRefSeqNoOfReparsePoint & @CRLF) 3060 | #ce 3061 | ;Padding 4 bytes 3062 | $Padding3 = StringMid($InputData, $StartOffset + 56, 8) 3063 | $Padding3 = Dec(_SwapEndian($Padding3),2) 3064 | If $Padding3 <> 0 Then 3065 | ConsoleWrite("Error: Invalid Padding3" & @crlf) 3066 | Return $EntryCounter 3067 | EndIf 3068 | 3069 | If $WithQuotes Then 3070 | Select 3071 | Case $DoDefaultAll 3072 | FileWriteLine($IndxEntriesReparseRCsvFile, '"'&$RecordOffset&'"'&$de&'"'&$IndxCurrentVcn&'"'&$de&'"'&$IsNotLeafNode&'"'&$de&'"'&$IndxLastLsn&'"'&$de&'"'&$FromIndxSlack&'"'&$de&'"'&$DataOffset&'"'&$de&'"'&$DataSize&'"'&$de&'"'&$Padding1&'"'&$de&'"'&$IndexEntrySize&'"'&$de&'"'&$IndexKeySize&'"'&$de&'"'&$Flags&'"'&$de&'"'&$Padding2&'"'&$de&'"'&$KeyMftRefOfReparsePoint&'"'&$de&'"'&$KeyMftRefSeqNoOfReparsePoint&'"'&$de&'"'&$KeyReparseTag&'"'&@crlf) 3073 | Case $Dol2t 3074 | FileWriteLine($IndxEntriesReparseRCsvFile, '"'&'"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'&"MACB"&'"' & $de & '"'&"INDX"&'"' & $de & '"'&"Reparse:R"&'"' & $de & '"'& "" &'"' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'&$KeyMftRefOfReparsePoint&'"' & $de & '"'&"Offset:"&$RecordOffset&" ReparseTag:"&$KeyReparseTag&" MftRefOfReparsePoint:"&$KeyMftRefOfReparsePoint&" MftRefSeqNoOfReparsePoint:"&$KeyMftRefSeqNoOfReparsePoint&'"' & $de & '""' & $de & '""' & @CRLF) 3075 | Case $DoBodyfile 3076 | FileWriteLine($IndxEntriesReparseRCsvFile, '""' & $de & '"'& "Reparse:R" &'"' & $de & '"'&$KeyMftRefOfReparsePoint&'"' & $de & '"'&"Reparse:R"&'"' & $de & '""' & $de & '""' & $de & '""' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & $de & '"'& "" &'"' & @CRLF) 3077 | EndSelect 3078 | Else 3079 | Select 3080 | Case $DoDefaultAll 3081 | FileWriteLine($IndxEntriesReparseRCsvFile, $RecordOffset&$de&$IndxCurrentVcn&$de&$IsNotLeafNode&$de&$IndxLastLsn&$de&$FromIndxSlack&$de&$DataOffset&$de&$DataSize&$de&$Padding1&$de&$IndexEntrySize&$de&$IndexKeySize&$de&$Flags&$de&$Padding2&$de&$KeyMftRefOfReparsePoint&$de&$KeyMftRefSeqNoOfReparsePoint&$de&$KeyReparseTag&@crlf) 3082 | Case $Dol2t 3083 | FileWriteLine($IndxEntriesReparseRCsvFile, "" & $de & "" & $de & "" & $de & "MACB" & $de & "INDX" & $de & "Reparse:R" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & $KeyMftRefOfReparsePoint & $de & "Offset:"&$RecordOffset&" ReparseTag:"&$KeyReparseTag&" MftRefOfReparsePoint:"&$KeyMftRefOfReparsePoint&" MftRefSeqNoOfReparsePoint:"&$KeyMftRefSeqNoOfReparsePoint & $de & "" & $de & "" & @CRLF) 3084 | Case $DoBodyfile 3085 | FileWriteLine($IndxEntriesReparseRCsvFile, "" & $de & "Reparse:R" & $de & $KeyMftRefOfReparsePoint & $de & "Reparse:R" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & $de & "" & @CRLF) 3086 | EndSelect 3087 | EndIf 3088 | 3089 | $EntryCounter+=1 3090 | $StartOffset += $IndexEntrySize*2 3091 | Until $StartOffset >= $InputDataSize 3092 | Return $EntryCounter 3093 | EndFunc 3094 | 3095 | Func _WriteIndxReparseRModuleCsvHeader() 3096 | Local $a 3097 | If $WithQuotes Then 3098 | $a = '"' 3099 | Else 3100 | $a = "" 3101 | EndIf 3102 | If $DoDefaultAll Then 3103 | $Indx_Csv_Header = $a&"Offset"&$a&$de&$a&"Vcn"&$a&$de&$a&"IsNotLeaf"&$a&$de&$a&"LastLsn"&$a&$de&$a&"FromIndxSlack"&$a&$de&$a&"DataOffset"&$a&$de&$a&"DataSize"&$a&$de&$a&"Padding1"&$a&$de&$a&"IndexEntrySize"&$a&$de&$a&"IndexKeySize"&$a&$de&$a&"Flags"&$a&$de&$a&"Padding2"&$a&$de&$a&"MftRef"&$a&$de&$a&"MftRefSeqNo"&$a&$de&$a&"KeyReparseTag"&$a 3104 | ElseIf $Dol2t Then 3105 | $Indx_Csv_Header = $a&"Date"&$a&$de&$a&"Time"&$a&$de&$a&"Timezone"&$a&$de&$a&"MACB"&$a&$de&$a&"Source"&$a&$de&$a&"SourceType"&$a&$de&$a&"Type"&$a&$de&$a&"User"&$a&$de&$a&"Host"&$a&$de&$a&"Short"&$a&$de&$a&"Desc"&$a&$de&$a&"Version"&$a&$de&$a&"Filename"&$a&$de&$a&"Inode"&$a&$de&$a&"Notes"&$a&$de&$a&"Format"&$a&$de&$a&"Extra"&$a 3106 | ElseIf $DoBodyfile Then 3107 | $Indx_Csv_Header = $a&"MD5"&$a&$de&$a&"name"&$a&$de&$a&"inode"&$a&$de&$a&"mode_as_string"&$a&$de&$a&"UID"&$a&$de&$a&"GID"&$a&$de&$a&"size"&$a&$de&$a&"atime"&$a&$de&$a&"mtime"&$a&$de&$a&"ctime"&$a&$de&$a&"crtime"&$a 3108 | EndIf 3109 | FileWriteLine($IndxEntriesReparseRCsvFile, $Indx_Csv_Header & @CRLF) 3110 | EndFunc 3111 | 3112 | Func _SetDateTimeFormats() 3113 | Select 3114 | Case $DateTimeFormat = 1 3115 | $CharsToGrabDate = 8 3116 | $CharStartTime = 9 3117 | $CharsToGrabTime = 6 3118 | Case $DateTimeFormat = 2 3119 | $CharsToGrabDate = 10 3120 | $CharStartTime = 11 3121 | $CharsToGrabTime = 8 3122 | Case $DateTimeFormat = 3 3123 | $CharsToGrabDate = 10 3124 | $CharStartTime = 11 3125 | $CharsToGrabTime = 8 3126 | Case $DateTimeFormat = 6 3127 | $CharsToGrabDate = 10 3128 | $CharStartTime = 11 3129 | $CharsToGrabTime = 8 3130 | EndSelect 3131 | EndFunc -------------------------------------------------------------------------------- /Indx2Csv.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jschicht/Indx2Csv/129a411efd829418c2a3dc36502bfb6ed45feab0/Indx2Csv.exe -------------------------------------------------------------------------------- /Indx2Csv64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jschicht/Indx2Csv/129a411efd829418c2a3dc36502bfb6ed45feab0/Indx2Csv64.exe -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | License 2 | 3 | THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. 4 | 5 | BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 6 | 7 | 1. Definitions 8 | a."Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. 9 | b."Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License. 10 | c."Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. 11 | d."Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. 12 | e."Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. 13 | f."Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. 14 | g."You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. 15 | h."Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. 16 | i."Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. 17 | 18 | 2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. 19 | 20 | 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: 21 | a.to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; 22 | b.to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified."; 23 | c.to Distribute and Publicly Perform the Work including as incorporated in Collections; and, 24 | d.to Distribute and Publicly Perform Adaptations. 25 | 26 | e.For the avoidance of doubt: 27 | i.Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; 28 | ii.Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, 29 | iii.Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. 30 | 31 | 32 | The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. 33 | 34 | 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: 35 | a.You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested. 36 | b.If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. 37 | c.Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. 38 | 39 | 5. Representations, Warranties and Disclaimer 40 | 41 | UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 42 | 43 | 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 44 | 45 | 7. Termination 46 | a.This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. 47 | b.Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 48 | 49 | 8. Miscellaneous 50 | a.Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. 51 | b.Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. 52 | c.If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. 53 | d.No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. 54 | e.This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. 55 | f.The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. 56 | -------------------------------------------------------------------------------- /changelog.txt: -------------------------------------------------------------------------------- 1 | Indx2Csv Changelog 2 | 3 | 1.0.0.14 4 | Improved slack parser for I30. 5 | Added support for new outputformats: log2timeline and bodyfile. 6 | Added new commandline param /StrictNameCheck for use with I30 and unicode falsepositives in slack. 7 | Improved quality in the sql files generated, now also including the new output formats. 8 | Fixed a bug with the quotes configuration. 9 | 10 | 1.0.0.13 11 | Fixed a bug that caused some valid INDX data to be missed when system files contain zeroed filestamps. 12 | 13 | 1.0.0.12 14 | Added 2 new fields from INDX header into all output and db schema. Vcn and IsNotLeaf. 15 | Fixed bug that caused parsing to skip indx when LastLsn is 0. 16 | 17 | v1.0.0.11 18 | Added missing reparse tags. 19 | 20 | v1.0.0.10 21 | Added support for $Reparse $R. 22 | Added missing reparse tags. 23 | Added MySql schema and import sql for Indx-ReparseR-Entries_.csv to INDX_REPARSER table. 24 | 25 | v1.0.0.9 26 | Moved the import sql files into the new import-sql sub directory so that compilation works with the project as is. 27 | 28 | v1.0.0.8 29 | Fixed some bugs in the cleanup after end of parsing. 30 | Added support for dumping the decode of $O index (both $INDEX_ALLOCATION and $INDEX_ROOT) for $ObjId to a separate csv. Requires Scan mode = 0. 31 | Added break down of GUID/UUID as found in $ObjectId attribute and $O index of $ObjId, according to RFC 4122 (https://www.ietf.org/rfc/rfc4122.txt). That among other things includes timestamp. 32 | Added MySql schema and import sql for Indx-ObjIdO-Entries_.csv to INDX_OBJIDO table. 33 | 34 | v1.0.0.7 35 | Fixed bug that caused directory entries and entries for resident files, not to be detected while in scan mode. 36 | 37 | v1.0.0.6 38 | Fixed wrong offset in output for entries parsed in normal mode with healthy INDX structure. 39 | Removed unecessary failure check with slack scan in Normal mode with healthy INDX structure. 40 | 41 | v1.0.0.5 42 | Added field for EaSize in output. 43 | Added validation test for IndexFlags. 44 | 45 | v1.0.0.4 46 | Changed name of field in csv and db from TextInformation to CorruptEntries. 47 | Improved detection of corrupt entries. Changed logic in ScanMode handling, from being a tickbox on/off to a dropdown with levels from 0 to 15. 48 | 49 | v1.0.0.3 50 | Added 3 new parameters. /VerifyFragment:, /OutFragmentName: and /CleanUp:. See readme. 51 | Implemented supported for true brute force mode (/ScanMode:1). 52 | Added exit errorlevel to make it suite better with batch scripting. 53 | Added postfix of .empty to csv's generated with 0 hits. 54 | 55 | v1.0.0.2 56 | Added MySql support and a schema for INDX_I30 table. 57 | Added missing TextInformation variable in csv in the core module (though not actually used there). 58 | 59 | v1.0.0.1 60 | Removed timestamp added to output directory. 61 | Added all output files with prefix Indx_I30_Entries_. 62 | Added timestamp into output file names. 63 | 64 | v1.0.0.0 65 | Initial version. -------------------------------------------------------------------------------- /db-schema-INDX-I30.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE INDX_I30( 3 | `Id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`Offset` VARCHAR(18) NOT NULL 5 | ,`Vcn` BIGINT NULL DEFAULT NULL 6 | ,`IsNotLeaf` TINYINT(1) NULL DEFAULT NULL 7 | ,`LastLsn` BIGINT NOT NULL 8 | ,`FromIndxSlack` TINYINT(1) 9 | ,`FileName` VARCHAR(255) NOT NULL 10 | ,`MFTReference` BIGINT NOT NULL 11 | ,`MFTReferenceSeqNo` BIGINT NOT NULL 12 | ,`IndexFlags` INTEGER NOT NULL 13 | ,`MFTParentReference` BIGINT NOT NULL 14 | ,`MFTParentReferenceSeqNo` BIGINT NOT NULL 15 | ,`CTime` DATETIME(6) NOT NULL 16 | ,`ATime` DATETIME(6) NOT NULL 17 | ,`MTime` DATETIME(6) NOT NULL 18 | ,`RTime` DATETIME(6) NOT NULL 19 | ,`AllocSize` BIGINT NOT NULL 20 | ,`RealSize` BIGINT NOT NULL 21 | ,`FileFlags` VARCHAR(64) NOT NULL 22 | ,`ReparseTag` VARCHAR(32) NOT NULL 23 | ,`EaSize` INT(11) NOT NULL 24 | ,`NameSpace` VARCHAR(9) NOT NULL 25 | ,`SubNodeVCN` BIGINT NULL DEFAULT NULL 26 | ,`CorruptEntries` VARCHAR(255) NULL DEFAULT NULL 27 | ,PRIMARY KEY (Id) 28 | ); -------------------------------------------------------------------------------- /db-schema-INDX-ObjIdO.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE INDX_OBJIDO( 3 | `Id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`Offset` VARCHAR(18) NULL DEFAULT NULL 5 | ,`Vcn` BIGINT NULL DEFAULT NULL 6 | ,`IsNotLeaf` TINYINT(1) NULL DEFAULT NULL 7 | ,`LastLsn` BIGINT NULL DEFAULT NULL 8 | ,`FromIndxSlack` TINYINT(1) NULL DEFAULT NULL 9 | ,`DataOffset` SMALLINT(5) NULL DEFAULT NULL 10 | ,`DataSize` SMALLINT(5) NULL DEFAULT NULL 11 | ,`Padding1` INT(11) NULL DEFAULT NULL 12 | ,`IndexEntrySize` SMALLINT(5) NULL DEFAULT NULL 13 | ,`IndexKeySize` SMALLINT(5) NULL DEFAULT NULL 14 | ,`Flags` VARCHAR(6) NULL DEFAULT NULL 15 | ,`Padding2` SMALLINT(5) NULL DEFAULT NULL 16 | ,`MftRef` BIGINT NOT NULL 17 | ,`MftRefSeqNo` SMALLINT(5) NOT NULL 18 | ,`ObjectId` VARCHAR(38) NOT NULL 19 | ,`ObjectId_Version` TINYINT(2) NULL DEFAULT NULL 20 | ,`ObjectId_Timestamp` DATETIME(6) NULL DEFAULT NULL 21 | ,`ObjectId_TimestampDec` BIGINT NULL DEFAULT NULL 22 | ,`ObjectId_ClockSeq` SMALLINT(5) NULL DEFAULT NULL 23 | ,`ObjectId_Node` VARCHAR(17) NULL DEFAULT NULL 24 | ,`BirthVolumeId` VARCHAR(38) NOT NULL 25 | ,`BirthVolumeId_Version` TINYINT(2) NULL DEFAULT NULL 26 | ,`BirthVolumeId_Timestamp` DATETIME(6) NULL DEFAULT NULL 27 | ,`BirthVolumeId_TimestampDec` BIGINT NULL DEFAULT NULL 28 | ,`BirthVolumeId_ClockSeq` SMALLINT(5) NULL DEFAULT NULL 29 | ,`BirthVolumeId_Node` VARCHAR(17) NULL DEFAULT NULL 30 | ,`BirthObjectId` VARCHAR(38) NOT NULL 31 | ,`BirthObjectId_Version` TINYINT(2) NULL DEFAULT NULL 32 | ,`BirthObjectId_Timestamp` DATETIME(6) NULL DEFAULT NULL 33 | ,`BirthObjectId_TimestampDec` BIGINT NULL DEFAULT NULL 34 | ,`BirthObjectId_ClockSeq` SMALLINT(5) NULL DEFAULT NULL 35 | ,`BirthObjectId_Node` VARCHAR(17) NULL DEFAULT NULL 36 | ,`DomainId` VARCHAR(38) NOT NULL 37 | ,`DomainId_Version` TINYINT(2) NULL DEFAULT NULL 38 | ,`DomainId_Timestamp` DATETIME(6) NULL DEFAULT NULL 39 | ,`DomainId_TimestampDec` BIGINT NULL DEFAULT NULL 40 | ,`DomainId_ClockSeq` SMALLINT(5) NULL DEFAULT NULL 41 | ,`DomainId_Node` VARCHAR(17) NULL DEFAULT NULL 42 | ,`TextInformation` VARCHAR(256) NULL DEFAULT NULL 43 | ,PRIMARY KEY (Id) 44 | ); -------------------------------------------------------------------------------- /db-schema-INDX-ReparseR.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE INDX_REPARSER( 3 | `Id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`Offset` VARCHAR(18) NULL DEFAULT NULL 5 | ,`Vcn` BIGINT NULL DEFAULT NULL 6 | ,`IsNotLeaf` TINYINT(1) NULL DEFAULT NULL 7 | ,`LastLsn` BIGINT NULL DEFAULT NULL 8 | ,`FromIndxSlack` TINYINT(1) NULL DEFAULT NULL 9 | ,`DataOffset` SMALLINT(5) NULL DEFAULT NULL 10 | ,`DataSize` SMALLINT(5) NULL DEFAULT NULL 11 | ,`Padding1` INT(11) NULL DEFAULT NULL 12 | ,`IndexEntrySize` SMALLINT(5) NULL DEFAULT NULL 13 | ,`IndexKeySize` SMALLINT(5) NULL DEFAULT NULL 14 | ,`Flags` VARCHAR(6) NULL DEFAULT NULL 15 | ,`Padding2` SMALLINT(5) NULL DEFAULT NULL 16 | ,`MftRef` BIGINT NOT NULL 17 | ,`MftRefSeqNo` SMALLINT(5) NOT NULL 18 | ,`KeyReparseTag` VARCHAR(32) NULL DEFAULT NULL 19 | ,PRIMARY KEY (Id) 20 | ); -------------------------------------------------------------------------------- /db-schema-bodyfile.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE bodyfile( 3 | `id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`MD5` VARCHAR(32) NOT NULL 5 | ,`name` TEXT NOT NULL 6 | ,`inode` BIGINT NOT NULL 7 | ,`mode_as_string` MEDIUMTEXT NOT NULL 8 | ,`UID` VARCHAR(64) NOT NULL 9 | ,`GID` VARCHAR(64) NULL 10 | ,`size` BIGINT NULL 11 | ,`atime` DATETIME(6) NOT NULL 12 | ,`mtime` DATETIME(6) NOT NULL 13 | ,`ctime` DATETIME(6) NOT NULL 14 | ,`crtime` DATETIME(6) NOT NULL 15 | ,PRIMARY KEY (Id) 16 | ); -------------------------------------------------------------------------------- /db-schema-log2timeline.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE log2timeline( 3 | `id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`date` DATE NOT NULL 5 | ,`time` TIME NOT NULL 6 | ,`timezone` VARCHAR(32) NOT NULL 7 | ,`MACB` VARCHAR(8) NOT NULL 8 | ,`source` VARCHAR(128) NOT NULL 9 | ,`sourcetype` VARCHAR(128) NULL 10 | ,`type` VARCHAR(128) NULL 11 | ,`user` VARCHAR(64) NULL 12 | ,`host` VARCHAR(128) NULL 13 | ,`short` VARCHAR(256) NULL 14 | ,`desc` MEDIUMTEXT NULL 15 | ,`version` INT(4) NULL 16 | ,`filename` VARCHAR(256) NULL 17 | ,`inode` BIGINT NOT NULL 18 | ,`notes` VARCHAR(128) NULL 19 | ,`format` VARCHAR(128) NULL 20 | ,`extra` TEXT NULL 21 | ,PRIMARY KEY (Id) 22 | ); -------------------------------------------------------------------------------- /import-sql/import-csv-INDX-I30.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA LOCAL INFILE "__PathToCsv__" 2 | INTO TABLE INDX_I30 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '__Separator__' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (`Offset`, `Vcn`, `IsNotLeaf`, @LastLsn, @FromIndxSlack, `FileName`, @MFTReference, @MFTReferenceSeqNo, @IndexFlags, @MFTParentReference, @MFTParentReferenceSeqNo, @CTime, @ATime, @MTime, @RTime, @AllocSize, @RealSize, `FileFlags`, `ReparseTag`, @EaSize, `NameSpace`, @`SubNodeVCN`, @`CorruptEntries`) 10 | SET 11 | LastLsn = nullif(@LastLsn,''), 12 | FromIndxSlack = nullif(@FromIndxSlack,''), 13 | MFTReference = nullif(@MFTReference,''), 14 | MFTReferenceSeqNo = nullif(@MFTReferenceSeqNo,''), 15 | IndexFlags = nullif(@IndexFlags,''), 16 | MFTParentReference = nullif(@MFTParentReference,''), 17 | MFTParentReferenceSeqNo = nullif(@MFTParentReferenceSeqNo,''), 18 | `CTime` = STR_TO_DATE(@CTime, '__TimestampTransformationSyntax__'), 19 | `ATime` = STR_TO_DATE(@ATime, '__TimestampTransformationSyntax__'), 20 | `MTime` = STR_TO_DATE(@MTime, '__TimestampTransformationSyntax__'), 21 | `RTime` = STR_TO_DATE(@RTime, '__TimestampTransformationSyntax__'), 22 | AllocSize = nullif(@AllocSize,''), 23 | RealSize = nullif(@RealSize,''), 24 | EaSize = nullif(@EaSize,''), 25 | SubNodeVCN = nullif(@SubNodeVCN,''), 26 | CorruptEntries = nullif(@CorruptEntries,'') 27 | ; -------------------------------------------------------------------------------- /import-sql/import-csv-INDX-objido.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA LOCAL INFILE "__PathToCsv__" 2 | INTO TABLE INDX_OBJIDO 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '__Separator__' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (`Offset`, `Vcn`, `IsNotLeaf`, `LastLsn`, `FromIndxSlack`, `DataOffset`, `DataSize`, `Padding1`, `IndexEntrySize`, `IndexKeySize`, `Flags`, `Padding2`, @MftRef, @MftRefSeqNo, `ObjectId`, `ObjectId_Version`, @ObjectId_Timestamp, `ObjectId_TimestampDec`, `ObjectId_ClockSeq`, `ObjectId_Node`, `BirthVolumeId`, `BirthVolumeId_Version`, @BirthVolumeId_Timestamp, `BirthVolumeId_TimestampDec`, `BirthVolumeId_ClockSeq`, `BirthVolumeId_Node`, `BirthObjectId`, `BirthObjectId_Version`, @BirthObjectId_Timestamp, `BirthObjectId_TimestampDec`, `BirthObjectId_ClockSeq`, `BirthObjectId_Node`, `DomainId`, `DomainId_Version`, @DomainId_Timestamp, `DomainId_TimestampDec`, `DomainId_ClockSeq`, `DomainId_Node`, `TextInformation`) 10 | SET 11 | MftRef = nullif(@MftRef,''), 12 | MftRefSeqNo = nullif(@MftRefSeqNo,''), 13 | ObjectId_Timestamp = STR_TO_DATE(@ObjectId_Timestamp, '__TimestampTransformationSyntax__'), 14 | BirthVolumeId_Timestamp = STR_TO_DATE(@BirthVolumeId_Timestamp, '__TimestampTransformationSyntax__'), 15 | BirthObjectId_Timestamp = STR_TO_DATE(@BirthObjectId_Timestamp, '__TimestampTransformationSyntax__'), 16 | DomainId_Timestamp = STR_TO_DATE(@DomainId_Timestamp, '__TimestampTransformationSyntax__') 17 | ; -------------------------------------------------------------------------------- /import-sql/import-csv-INDX-reparser.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA LOCAL INFILE "__PathToCsv__" 2 | INTO TABLE INDX_REPARSER 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '__Separator__' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (`Offset`, `Vcn`, `IsNotLeaf`, `LastLsn`, `FromIndxSlack`, `DataOffset`, `DataSize`, `Padding1`, `IndexEntrySize`, `IndexKeySize`, `Flags`, `Padding2`, @MftRef, @MftRefSeqNo, `KeyReparseTag`) 10 | SET 11 | MftRef = nullif(@MftRef,''), 12 | MftRefSeqNo = nullif(@MftRefSeqNo,'') 13 | ; -------------------------------------------------------------------------------- /import-sql/import-csv-bodyfile-INDX.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA INFILE '__PathToCsv__' IGNORE 2 | INTO TABLE bodyfile 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '__Separator__' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (@MD5, @name, @inode, @mode_as_string, @UID, @GID, @size, @atime, @mtime, @ctime, @crtime) 10 | SET 11 | MD5 = nullif(@MD5,''), 12 | `name` = nullif(@name,''), 13 | inode = nullif(@inode,''), 14 | mode_as_string = nullif(@mode_as_string,''), 15 | UID = nullif(@UID,''), 16 | GID = nullif(@GID,''), 17 | `size` = nullif(@size,''), 18 | atime = STR_TO_DATE(@atime, '__TimestampTransformationSyntax__'), 19 | mtime = STR_TO_DATE(@mtime, '__TimestampTransformationSyntax__'), 20 | ctime = STR_TO_DATE(@ctime, '__TimestampTransformationSyntax__'), 21 | crtime = STR_TO_DATE(@crtime, '__TimestampTransformationSyntax__') 22 | ; 23 | 24 | -------------------------------------------------------------------------------- /import-sql/import-csv-l2t-INDX.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA INFILE '__PathToCsv__' IGNORE 2 | INTO TABLE log2timeline 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '__Separator__' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (@date, @time, `timezone`, `MACB`, @source, @sourcetype, @type, @user, @host, @short, @desc, @version, @filename, @inode, @notes, @format, @extra) 10 | SET 11 | `date` = STR_TO_DATE(@date, '__DateTransformationSyntax__'), 12 | `time` = STR_TO_DATE(@time, '__TimeTransformationSyntax__'), 13 | source = nullif(@source,''), 14 | sourcetype = nullif(@sourcetype,''), 15 | type = nullif(@type,''), 16 | user = nullif(@user,''), 17 | host = nullif(@host,''), 18 | short = nullif(@short,''), 19 | `desc` = nullif(@desc,''), 20 | version = nullif(@version,''), 21 | filename = nullif(@filename,''), 22 | inode = nullif(@inode,''), 23 | notes = nullif(@notes,''), 24 | format = nullif(@format,''), 25 | extra = nullif(@extra,'') 26 | ; 27 | 28 | -------------------------------------------------------------------------------- /readme.txt: -------------------------------------------------------------------------------- 1 | This is a parser for INDX records of type $I30, $O ($ObjId) and $R ($Reparse). 2 | For $I30 this is the $INDEX_ALLOCATION attribute for directories which is an index with certain values from the $STANDARD_INFORMATION and $FILE_NAME attributes of all subitems (items within a folder). 3 | For $ObjId there is an $O index (in $INDEX_ALLOCATION and/or $INDEX_ROOT) that holds data for all files on the volume that contain an $ObjectId attribute in their MFT record. In order to scan for this, make sure Scan mode = 0. 4 | For $Reparse there is an $R index (in $INDEX_ALLOCATION and/or $INDEX_ROOT) that holds data for all files on the volume that contain an $REPARSE_POINT attribute in their MFT record. In order to scan for this, make sure Scan mode = 0. 5 | 6 | On NTFS there are various types of INDX present in addition to $I30: 7 | $INDEX_ALLOCATION:$SDH for $Secure. This is MftRef 9 and is the security descriptor hash index. 8 | $INDEX_ALLOCATION:$SII for $Secure. This is MftRef 9 and is the security id index. 9 | $INDEX_ALLOCATION:$O for $Quota. This is usually but not always for MftRef 24. 10 | $INDEX_ALLOCATION:$Q for $Quota. This is usually but not always for MftRef 24. 11 | $INDEX_ALLOCATION:$O for $ObjId. This is usually but not always for MftRef 25 and is for the index that holds information about all files that have the $OBJECT_ID attribute present. 12 | $INDEX_ALLOCATION:$R for $Reparse. This is usually but not always for MftRef 26 and is for the index that holds information about all files that have the $REPARSE_POINT attribute present. 13 | 14 | What input? 15 | For best results, use IndxCarver to extract the INDX records. That tool will filter output into 3, which makes sense. That is 1 for false positive, 1 for records with fixups applied, and 1 for records without fixups applied. This way it is also easier to distinguish them. 16 | 17 | What does it decode? 18 | As much as possible. That is all the members within any INDX entry, plus some more. 19 | 20 | Command line mode 21 | No parameters supplied will by default launch GUI. The valid parameters are: 22 | 23 | /IndxFile: 24 | The input file with INDX records (as extracted with IndxCarver). 25 | /OutputPath: 26 | Optionally specify output dir. Default is current directory. 27 | /TimeZone: 28 | A string value for the timezone. See notes further down for valid values. 29 | /Fixups: 30 | Boolean value to apply fixups. Default is 1. Can be 0 or 1. 31 | /Separator: 32 | The separator to use in the csv. Default is | 33 | /Unicode: 34 | Boolean value for decoding unicode strings. Default is 0. Can be 0 or 1. Output quality may get severely reduced if this is set in combination with a set /Slack param. 35 | /Slack: 36 | Boolean value for scanning slack space. Default is 0. Can be 0 or 1. 37 | /TSFormat: 38 | An integer from 1 - 6 for specifying the timestamp format. Start the gui to see what they mean. Default is 6. 39 | /TSPrecision: 40 | What precision to use in the timestamp. Valid values are None, MilliSec and NanoSec. Default is NanoSec. 41 | /TSPrecisionSeparator: 42 | The separator to put in the separation of the precision. Default is ".". Start the gui to see what it means. 43 | /TSPrecisionSeparator2: 44 | The separator to put in between MilliSec and NanoSec in the precision of timestamp. Default is empty/nothing. Start the gui to see what it means. 45 | /TSErrorVal: 46 | A custom error value to put with errors in timestamp decode. Default value is '0000-00-00 00:00:00', which is compatible with MySql, and represents and invalid timestamp value for NTFS. 47 | /IndxSize: 48 | The size of the INDX records. Default is 4096. 49 | /VerifyFragment: 50 | Boolean value for activating a simple validation on a fragment only, and not full parser. Can be 0 or 1. Will by default write fixed fragment to OutFragment.bin unless otherwise specified in /OutFragmentName: 51 | /OutFragmentName: 52 | The output filename to write the fixed fragment to, if /VerifyFragment: is set to 1. If omitted, the default filename is OutFragment.bin. 53 | /CleanUp: 54 | Boolean value for cleaning up all output if no entries could be decoded. Default value is 1. Can be 0 or 1. This setting makes the most sense if program is run in loop in batch or similar. 55 | /ScanMode: 56 | An integer indicating the depth level of scan mode. 0 is normal mode without any scanning and is the default value. 1 is light level scanning. 15 is deepest level 57 | /QuotationMark: 58 | Boolean value for activation of quotation mark surrounding all values in output. 59 | /OutputFormat: 60 | Format of the csv output. Can be all, l2t or bodyfile. Default is all. 61 | /StrictNameCheck: 62 | Boolean value for applying extended name check with I30 entries in slack. Useful for unicode mode with many false positives in slack. Default is 1. 63 | 64 | Examples: 65 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wfixups.INDX 66 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wfixups.INDX /OutputPath:e:\temp 67 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wfixups.INDX /OutputPath:e:\temp /OutputFormat:l2t 68 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wfixups.INDX /OutputPath:e:\temp /Unicode:1 /StrictNameCheck:1 69 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wfixups.INDX /TimeZone:2.00 /TSFormat:1 /TSPrecision:NanoSec /Unicode:1 70 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wofixups.INDX /Fixups:0 /TimeZone:-5.00 /TSFormat:1 /TSPrecision:MilliSec 71 | Indx2Csv.exe /IndxFile:c:\temp\chunk.wofixups.INDX /Fixups:0 /TSFormat:1 /TSPrecision:MilliSec /Slack:1 /Unicode:0 72 | Indx2Csv.exe /IndxFile:C:\temp\fragment.bin /ScanMode:10 /VerifyFragment:1 /OutputPath:e:\I30Output /OutFragmentName:FragmentCollection.bin /CleanUp:1 73 | Indx2Csv.exe /IndxFile:e:\I30Output\FragmentCollection.bin /OutputPath:e:\I30Output /ScanMode:10 /Fixups:0 74 | 75 | Timestamp explanation 76 | CTime -> File Create Time. 77 | ATime -> File Modified Time. 78 | MTime -> MFT Entry modified Time. 79 | RTime -> File Last Access Time. 80 | 81 | The available TimeZone's to use are: 82 | -12.00 83 | -11.00 84 | -10.00 85 | -9.30 86 | -9.00 87 | -8.00 88 | -7.00 89 | -6.00 90 | -5.00 91 | -4.30 92 | -4.00 93 | -3.30 94 | -3.00 95 | -2.00 96 | -1.00 97 | 0.00 98 | 1.00 99 | 2.00 100 | 3.00 101 | 3.30 102 | 4.00 103 | 4.30 104 | 5.00 105 | 5.30 106 | 5.45 107 | 6.00 108 | 6.30 109 | 7.00 110 | 8.00 111 | 8.45 112 | 9.00 113 | 9.30 114 | 10.00 115 | 10.30 116 | 11.00 117 | 11.30 118 | 12.00 119 | 12.45 120 | 13.00 121 | 14.00 122 | 123 | Error levels 124 | The current exit (error) codes have been implemented in commandline mode, which makes it more suited for batch scripting. 125 | 1. No valid entries could be decoded. Empty output. 126 | 4. Failure in writing fixed fragment to output. Validation of fragment succeeded though. 127 | 128 | Thus if you get %ERRORLEVEL% == 1 it means nothing was decoded, and if you get %ERRORLEVEL% == 4 then valid records where detected but could not be written to separate output (only used with /VerifyFragment: and /OutFragmentName:). 129 | --------------------------------------------------------------------------------