I found some code that does it, but it's 462 lines of C-language hell.
Nah, hell is too strong. I could figure it out if I wanted to, but
it would take a while. I just didn't want to do that if someone
already had something in Java. How would I find such a beast on
Sourceforge, if it was there? The C code I found is called Pasco
v1.0, btw, found here:
http://www.foundstone.com/resources/forensics.htm. Very nice of them
to make this available with source -- too bad I can't read C!
Anybody know if something like it is available in Java?
--Dale--
I don't remember if I was quite done with this, but I got what I
needed out of it. Now if anyone else wants it, here it is:
import java.io.*;
import java.util.*;
public class IndexReader {
public static final int FILESIZE_LOCATION = 28;
public static final int NUMBER_BYTES = 4;
public static final int RECORD_SIZE = 128;
public static final int KEY_SIZE = 4;
public static final int STARTING_OFFSET = 32;
private int count = 0;
public void read(String fileNameString) throws Exception {
RandomAccessFile raf = new RandomAccessFile(fileNameString,"r");
int hashOff = getDecimalValue(raf, STARTING_OFFSET, NUMBER_BYTES);
while (hashOff != 0){
//System.out.println("hashOff:" + Integer.toString(hashOff,16));
//String thewordHash = getKey(raf, hashOff, KEY_SIZE);
//System.out.println("the word hash:" + thewordHash + " from
location " + Integer.toString(hashOff,16));
int nextHashOff = getDecimalValue(raf, hashOff + 8, NUMBER_BYTES);
//System.out.println("nextHashOff:" +
Integer.toString(nextHashOff,16));
int hashSize = getDecimalValue(raf, hashOff + 4, NUMBER_BYTES) *
RECORD_SIZE;
for (int offset = hashOff + 16; offset < hashOff + hashSize;
offset+=8) {
String hashRecFlags = getKey(raf, offset, KEY_SIZE);
int currRecOff = getDecimalValue(raf, offset + 4, NUMBER_BYTES);
if (currRecOff != 0){
parseRecord(raf, currRecOff);
}
}
hashOff = nextHashOff;
}
System.out.println("parsed " + count + " records.");
}
public void read2(String fileNameString) throws Exception {
RandomAccessFile raf = new RandomAccessFile(fileNameString,"r");
int fileSize = getDecimalValue(raf, FILESIZE_LOCATION,
NUMBER_BYTES);
System.out.println("fileSize:" + fileSize);
int currentPosition = 0;
while (currentPosition < fileSize){
parseRecord(raf, currentPosition);
currentPosition += RECORD_SIZE;
}
System.out.println("parsed " + count + " records.");
}
public String parseRecord(RandomAccessFile raf, int currentPosition)
throws Exception {
String key = getKey(raf, currentPosition, KEY_SIZE);
if (key.equals("REDR")){
System.out.println(key);
count++;
} else if (key.equals("URL ") || key.equals("LEAK")){
System.out.println(key);
count++;
} else {
System.out.println("skipping:" + key);
}
return "not yet implemented";
}
private int getDecimalValue(RandomAccessFile raf, int startLocation,
int numberOfBytes) throws Exception {
byte[] buf = pread(raf, startLocation, numberOfBytes);
int total = 0;
for(int i = 0; i < buf.length; i++){
int thisOne = buf
;
if (thisOne < 0) thisOne = thisOne * -1 + 128;
total += thisOne << 8*i;
}
return total;
}
private String getKey(RandomAccessFile raf, int startLocation, int
numberOfBytes) throws Exception {
return new String(pread(raf, startLocation, numberOfBytes));
}
private byte[] pread (RandomAccessFile raf, int startLocation, int
numberOfBytes) throws Exception {
byte[] buf = new byte[numberOfBytes];
raf.seek(startLocation);
int numberRead = raf.read(buf,0,numberOfBytes);
return buf;
}
public static void main(String[] args) throws Exception {
IndexReader rdr = new IndexReader();
rdr.read("c:\\windows\\desktop\\index.dat");
//rdr.read2("c:\\windows\\desktop\\index.dat");
}
}