new method

EricZimmerman · EricZimmerman · commit 342eb4757ece · 2019-10-25T15:18:13.000-04:00
diff --git a/Registry.Test/TestRegistryHive.cs b/Registry.Test/TestRegistryHive.cs
@@ -685,14 +685,27 @@ public void OneOff()
 
             LogManager.Configuration = config;
 
-            var r = new RegistryHive(@"C:\Users\eric\Desktop\UsrClassStudent.datUp");
+            var r = new RegistryHive(@"D:\!downloads\NTUSER_recover_anon.DAT");
             r.RecoverDeleted = true;
 
             
             
             r.ParseHive();
 
-            
+            var del = r.DeletedRegistryKeys.Where(t => t.LastWriteTime.Value.Month == 2 && t.LastWriteTime.Value.Day == 13 && t.LastWriteTime.Value.Year == 2019 && t.LastWriteTime.Value.Minute == 46 && t.KeyName.Contains("Bookmarks")).ToList();
+            //var del = r.DeletedRegistryKeys.Where(t => t.NkRecord.RelativeOffset == 5313048).ToList();
+
+            //RelativeOffset = 5313184 == panels
+            //Relative offset	0x50B3B0 (5288880) == 28
+
+            var test = r.GetKey(11724520);
+
+            //"2/13/2019 7:46:59 AM -05:00"
+            //"5207632"
+
+            var t1 = r.GetDeletedKey(5288880, DateTimeOffset.Parse("2/13/2019 7:46:59 AM -05:00").Ticks);
+
+            Debug.WriteLine(del.Count);
 
         }
 
diff --git a/Registry/Registry.csproj b/Registry/Registry.csproj
@@ -10,9 +10,9 @@
     <Copyright>Eric Zimmerman</Copyright>
     <PackageProjectUrl>https://github.com/EricZimmerman/Registry</PackageProjectUrl>
     <RepositoryUrl>https://github.com/EricZimmerman/Registry</RepositoryUrl>
-    <AssemblyVersion>1.1.0.3</AssemblyVersion>
-    <FileVersion>1.1.0.3</FileVersion>
-    <Version>1.1.0.3</Version>
+    <AssemblyVersion>1.1.0.4</AssemblyVersion>
+    <FileVersion>1.1.0.4</FileVersion>
+    <Version>1.1.0.4</Version>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
   </PropertyGroup>
 
diff --git a/Registry/RegistryHive.cs b/Registry/RegistryHive.cs
@@ -735,6 +735,66 @@ public void ExportDataToCommonFormat(string outfile, bool deletedOnly)
             }
         }
 
+        public RegistryKey GetDeletedKey(long relativeOffset, long lastwritetimestampTicks)
+        {
+           // var segs = keyPath.Split('\\');
+
+           var keys = DeletedRegistryKeys.Where(t => t.NkRecord.RelativeOffset == relativeOffset).ToList();
+
+
+            //TODO clean this up
+
+           if (!keys.Any())
+           {
+              var keys2 = CellRecords.Where(t => t.Value.RelativeOffset == relativeOffset).ToList();
+           }
+
+            //get a list that contains all matching root level unassociated keys
+            //var keys = DeletedRegistryKeys.Where(t => t.KeyPath == keyPath).ToList();
+
+            if (keys.Count() == 1)
+            {
+                return keys.First();
+            }
+
+
+            return keys.SingleOrDefault(t => t.LastWriteTime.Value.Ticks == lastwritetimestampTicks);
+
+//
+//            //drill down into each until we find the right one based on last write time
+//            foreach (var registryKey in keys)
+//            {
+//                var foo = registryKey;
+//
+//                var startKey = registryKey;
+//
+//                for (var i = 1; i < segs.Length; i++)
+//                {
+//                    foo = startKey.SubKeys.SingleOrDefault(t => t.KeyName == segs[i]);
+//                    if (foo != null)
+//                    {
+//                        startKey = foo;
+//                    }
+//                }
+//
+//                if (foo == null)
+//                {
+//                    continue;
+//                }
+//
+//                if (foo.LastWriteTime.ToString() != lastwritetimestamp)
+//                {
+//                    continue;
+//                }
+//
+//                return foo;
+//
+//                //  break;
+//            }
+//
+//            return null;
+        }
+
         public RegistryKey GetDeletedKey(string keyPath, string lastwritetimestamp)
         {
             var segs = keyPath.Split('\\');
