Changelog PowerForensics v1.1.1:
* Particularlly: 30/10/2016
– Abstracted ATTRIBUTE_LIST MFT attributes
* Fixed major DataRun parsing bug
* Added Nano Server compatibility!
* Added new csproj for PowerShell v2 compatibility
++ New module PowerForensicv2 for PowerShell v2 compatibility
PowerForensics v1.1.1
PowerForensics is a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system.
with Cmdlets Function:
– Boot Sector
Get-MBR - parses the first sector of the hard drive and returns a MasterBootRecord object Get-GPT - parses the first sector of the hard drive and returns a GuidPartitionTable object Get-BootSector - parses the first sector of the hard drive and returns the appropriate boot sector (MBR or GPT) Get-PartitionTable - parses the first sector of the hard drive and returns the partition table
– New Technology File System (NTFS)
Get-FileRecord - returns Master File Table entries Get-FileRecordIndex - returns a file's MFT record index number Get-DeletedFile - returns Master File Table entries of files that are marked as deleted Get-AttrDef - parses the $AttrDef file to return definitions of MFT Attributes Get-BadCluster - parses the $BadClus file to check for damaged clusters Get-Bitmap - parses the $Bitmap file to determine if a cluster is marked as in use Get-UsnJrnl - parses the $UsnJrnl file's $J data attribute and returns USN Journal Entries Get-UsnJrnlInformation - parses the $UsnJrnl file's $MAX data attribute and returns USN Journal Metadata Get-VolumeBootRecord - parses the $Boot file located in the first sector of the volume and returns the VolumeBootRecord object Get-VolumeInformation - parses the $Volume file's $VOLUME_INFORMATION attribute and returns a VolumeInformation Object Get-VolumeName - parses the $Volume file's $VOLUME_NAME attribute and returns the VolumeName
– Extended File System 4 (ext4)
Get-Superblock - returns the ext4 SuperBlock object Get-BlockGroupDescriptor - returns the Block Group Descriptor Table entries Get-Inode - returns the Inode Table entries
– Windows Artifacts
Get-VolumeShadowCopy - returns Win32_ShadowCopy objects Get-Prefetch - parses the binary structure of Windows Prefetch files and returns a custom Prefetch object Get-ScheduledJobRaw - parses the binary structure of Scheduled Jobs (at jobs) and returns a custom ScheduledJob object
– Utilities.
Invoke-DD - provides a bit for bit copy of a specified device Copy-FileRaw - creates a copy of a file from its raw bytes on disk Get-ChildItemRaw - returns a directory's contents by parsing the MFT structures Get-ContentRaw - gets the content of a file from its raw bytes on disk Get-Hash - returns a cryptographic hash for the specified file Get-Timezone - determines a system's timezone based on the registry setting
– Formatters:
Format-Hex - Formats byte array output into a hexdump
Module Installation:
The easiest way to install PowerForensics is through the Install-Module cmdlet. This is available by default in Windows 10, but can also be installed via the Windows Management Framework or the standalone MSI installer:
Just Typing on CMDLETS: PS> Find-Module -Name *Forensic* PS> Install-Module -Name PowerForensics PS> Import-Module PowerForensics PS> Get-Command -Module PowerForensics
Download : PowerForensics.zip | PowerForensicsv2 | Our Post Before
Source: https://github.com/Invoke-IR