A little bit of Powershell Forensic P1

06/03/2018 Cybercop Forensic, Powershell, Windows Security 1

Powershell is a powerful tool for every Sysadmin! Just few days ago I’ve discovered the Blog of CqureAcademy where Paula gives this nice introduction into Powershell Forensic. This looks amazing and catched immediately my attention. I didn’t know about that particular Module before and decided to try it out.

In my case I don’t attach a vhdx file. I’ll use a USB flashdrive where I’ll try the file recovery.

Let's go and start. First I'll start the powershell with admin privileges and install the module.

Find-Module -Name *Forensic*
Install-Module PowerForensicsv2

Now let's import the Module and get a list of all the cmdlets
Import-Module PowerForensicsv2
Get-Command -Module PowerForensicsv2
 
For test puproses I did copy some portables on my USB flashdrive and delete them.
Let's see what we get with the first command:

Get-ForensicFileRecord -VolumeName E: | where-object {$_.Deleted}

Now we can see the portables and that they're marked as deleted. We notice that there is for every deleted file a RecordNumber.
Let's have a closer look on this:

Get-ForensicFileRecord -VolumeName E: -Index 39

Now let's put that command in a variable and read out the file attributes:
$fr=Get-ForensicFileRecord -VolumeName E: -Index 39
$fr.Attribute

Interessting for us is DataRun from which we can gain some more information about the file itself.
$fd=$fr.Attribute | where-Object {$_.name -eq 'Data'}
$fd.DataRun

DataRun shows us the starting cluster and the cluster length which tells us how big the file is. 
Now let's display some informations about the target volume e: and try to recover the file
get-ForensicVolumeBootRecord -Volume e:

As you can see we got BytesPerCluster. Togehter with the Datarun information we try to recover the file
Invoke-ForensicDD -InFile \\.\e: -offset (1538*4096) -Blocksize (121*4096) -Count 1 -Outfile C:\temp\test.exe

Now let's go to the directory and check oure restored file:

As you can see, putty.exe is succesfull restored.
Soon I'll add a short Part2 with another exercise ;-)

1 Kommentar

  1. Hello!To be precise, I am the only author of the scenario, vhd, and script. I created it in 2016. I was removed and not even mentioned as an author after I left company.

    Antworten

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.

*