{"id":56,"date":"2018-03-06T00:19:21","date_gmt":"2018-03-05T23:19:21","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=56"},"modified":"2018-03-06T00:19:21","modified_gmt":"2018-03-05T23:19:21","slug":"a-little-bit-of-powershell-forensic-p1","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=56","title":{"rendered":"A little bit of Powershell Forensic P1"},"content":{"rendered":"

Powershell is a powerful tool for every Sysadmin! Just few days ago I’ve discovered the Blog of CqureAcademy<\/a> where Paula gives this nice introduction into Powershell Forensic<\/a>. This looks amazing and catched immediately my attention. I didn’t know about that\u00a0particular Module<\/a> before and decided to try it out.<\/p>\n

In my case I don’t attach a vhdx file. I’ll use a USB flashdrive where I’ll try the file recovery.<\/p>\n

Let's go and start. First I'll start the powershell with admin privileges and install the module.\r\n\r\nFind-Module -Name *Forensic*\r\nInstall-Module PowerForensicsv2\r\n\"\"<\/a><\/strong><\/pre>\n
\n
Now let's import the Module and get a list of all the cmdlets\r\nImport-Module PowerForensicsv2\r\nGet-Command -Module PowerForensicsv2\r\n \"\"<\/a><\/strong><\/pre>\n
\n
For test puproses I did copy some portables on my USB flashdrive and delete them.\r\nLet's see what we get with the first command:\r\n\r\nGet-ForensicFileRecord -VolumeName E: | where-object {$_.Deleted}<\/strong>\r\n\"\"<\/a><\/pre>\n
\n
Now we can see the portables and that they're marked as deleted. We notice that there is for every deleted file a RecordNumber.\r\nLet's have a closer look on this:\r\n\r\nGet-ForensicFileRecord -VolumeName E: -Index 39<\/strong>\r\n\"\"<\/a>\r\nNow let's put that command in a variable and read out the file attributes:\r\n$fr=Get-ForensicFileRecord -VolumeName E: -Index 39<\/strong>\r\n$fr.Attribute<\/strong>\r\n\"\"<\/a>\r\nInteressting for us is DataRun from which we can gain some more information about the file itself.<\/pre>\n
\n
$fd=$fr.Attribute | where-Object {$_.name -eq 'Data'}<\/strong>\r\n$fd.DataRun<\/strong>\r\n\"\"<\/a>\r\nDataRun shows us the starting cluster and the cluster length which tells us how big the file is. \r\nNow let's display some informations about the target volume e: and try to recover the file<\/pre>\n
\n
get-ForensicVolumeBootRecord -Volume e:<\/strong>\r\n\"\"\r\n<\/a>As you can see we got BytesPerCluster. Togehter with the Datarun information we try to recover the file<\/pre>\n
\n
Invoke-ForensicDD -InFile \\\\.\\e: -offset (1538*4096) -Blocksize (121*4096) -Count 1 -Outfile C:\\temp\\test.exe\r\n\"\"<\/a>\r\n<\/strong>Now let's go to the directory and check oure restored file:\r\n\"\"<\/a>\r\nAs you can see, putty.exe is succesfull restored.\r\nSoon I'll add a short Part2 with another exercise ;-)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Powershell is a powerful tool for every Sysadmin! Just few days ago I’ve discovered the Blog of CqureAcademy where Paula gives this nice introduction into […]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":59,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9,10],"tags":[13,12,11],"class_list":["post-56","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-powershell","category-windows-security","tag-filerestore","tag-forensic","tag-powershell"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56"}],"version-history":[{"count":8,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":74,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions\/74"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/59"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}