/* Name: TLNFile.EnScript Author: Don C. Weber Last Update: 12/23/2009 Usage: Double click and watch console and "Export" directory Notes: ToDo: Change History: 12/23/2009: Added additional logic to handle files without times Added UTC comment to initial dialog Added UID to TLN output Updated all output to adhere to TLN format */ class MainClass; class BannerDialogClass: DialogClass{ StaticTextClass SafeTextEdit; BannerDialogClass(MainClass main): DialogClass(null, "TLN Generator"), SafeTextEdit(this, "Generate a TLN Bodyfile of File and Directory information.\n\nBefore proceeding please set Timezone to UTC and modify the date\/time format to\n\n\"yyyy MM DD HH\':'mm\':\'ss\" or a similar, sortable, format.", START, 15, 200, 50, 0) {} } class TextDialogClass: DialogClass{ StringEditClass Text; TextDialogClass(MainClass main): DialogClass(null, "Host Name"), Text(this, "Please enter the hostname.", START, START, 300, 12, 0, main.Text, 34, REQUIRED) {} } class MainClass { String Text; void Main(CaseClass c) { BannerDialogClass bnr(this); if (bnr.Execute() == SystemClass::OK){ TextDialogClass dlg(this); SystemClass::ClearConsole(); //clear the console if (dlg.Execute() == SystemClass::OK) { LocalFileClass local(); // create a localfileclass variable so we can write data out to local filesystem if ( local.Open(c.ExportFolder() + "\\" + "EnCase_BodyFile.txt", FileClass::WRITE)){ // create local file local.SetCodePage(0); // set the codepage type for the output file. This will write in ASCII. forall (EntryClass entry in c.EntryRoot()){ String UID = "0"; // In case User cannot be determined PermissionClass perms = entry.PermissionRoot(); if (perms){ foreach (PermissionClass p in perms){ if (p.Property() == "Owner") UID = p.Name(); } } String faccessed = entry.Accessed().GetString(); String fwritten = entry.Written().GetString(); String fmodded = entry.Modified().GetString(); String fcreated = entry.Created().GetString(); // # TLN Format: Time | Source | Host | User | Description (entry plus the time displayed) if (faccessed != "" || fwritten != "" || fmodded != "" || fcreated != ""){ if (faccessed != ""){ Console.WriteLine(faccessed + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Accessed Time (atime)"); local.WriteLine(faccessed + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Accessed Time (atime)"); } if (fwritten != ""){ Console.WriteLine(fwritten + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Change Time (ctime)"); local.WriteLine(fwritten + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Change Time (ctime)"); } if (fmodded != ""){ Console.WriteLine(fmodded + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Modified Time (mtime)"); local.WriteLine(fmodded + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Modified Time (mtime)"); } if (fcreated != ""){ Console.WriteLine(fcreated + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Created Time (crtime)"); local.WriteLine(fcreated + "|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : Created Time (crtime)"); } }else{ Console.WriteLine("0|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : No Time, Deleted?"); local.WriteLine("0|EnCase File TLN|" + Text + "|" + UID + "|" + entry.FullPath() + " : Size " + entry.LogicalSize() + " : No Time, Deleted?"); } } } } } } }