Thursday, August 18, 2016

Installing PowerShell on OSX

Today, Microsoft announced the open sourcing of PowerShell. Not only does this mean that we (the community) can contribute to PowerShell in the form of issues and pull requests, but PowerShell is now available for OSX and *nix!
As an owner of numerous Apple products (and a perpetual PowerShell fanboy), I quickly jumped on the bandwagon and installed PowerShell on my Macbook Pro. This post walks through installing PowerShell on OSX and configuring the OSX terminal to provide a familiar PowerShell user experience.

First things first, let us take a journey to the PowerShell project on github.

From this page, you can view the source code, check out issues, and check out releases. You have the option of downloading the source and compiling it, but the PowerShell team has already done this for you. By visiting the "Releases" page, you will be presented with a list of PowerShell releases. To download the latest and greatest version, look for the the "Latest release" tag which as of this posting is v6.0.0-alpha.9.

Once you identify your desired release, scroll down to the release's download section and click on the .pkg (or Apple Software Package).

From there, it installs like any other internet application.

NOTE: If your security settings do not allow installation of applications from "non-identified developers", you will have to allow the installation of PowerShell via the Security & Privacy settings menu.

Congratulations! You have installed PowerShell on your Mac! You can now open up the Terminal App, execute /usr/local/bin/powershell (or type powershell) and start running PowerShell commands just like on Windows. After a couple hours of using PowerShell in the OSX Terminal, I found the Terminal settings to not be ideal for PowerShell (particularly the syntax highlighting). I decided to create a custom PowerShell profile to create the same familiar experience that I am used to on Windows. To do this open the Terminal preferences menu by selecting Terminal > Preferences.

We want to create a custom Terminal profile for PowerShell. In the Preferences menu, select "Profiles" and click on the + symbol in the bottom right corner. First things first, lets set our background and text colors. I chose White, Magnesium, and Cantaloupe for my Text, Bold Text, and Selection colors respectively (trying to mirror powershell.exe as much as possible).

For the Background color I selected a custom color based on Windows powershell.exe blue. You can set the color by choosing the RGB Sliders option with Hex 0x001845.

Next, I want to set this profile to automatically run PowerShell upon the Terminal starting. To do this visit the profile's "Shell" tab and enter a "Run command" of /usr/local/bin/powershell.

The last optional step is to set the PowerShell as the default Terminal profile, assuming you always want to use PowerShell like I do. This will cause the Terminal app to always start with the PowerShell profile set.

Open a new Terminal window, and you will hopefully have a fairly familiar experience!

Friday, April 1, 2016

Forensic Friday: Get-ForensicRunKey

[This article is a continuation of my Forensic Friday series.  Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Vote for PowerForensics for the Forensic 4:cast Awards' Open Source Digital Forensic Software of the Year!

Now back to your regularly scheduled programming! Yesterday, Vijay (@vakasapu on Twitter) asked if we are taking feature requests (specifically regarding autoruns like features) for PowerForensics.
Let me start by saying that we are very interested in community involvement! If you have ideas to make PowerForensics better, please let me know via email ( or github. While PowerForensics does not currently support the extensive list of Auto Start Extensibility Points (ASEP), we do currently support a few of the more common auto start locations. This week I want to introduce Get-ForensicRunKey which parses the registry for entries in the numerous system and user based "run" keys. This cmdlet is built on top of PowerForensics' MFT and Registry Parser, so all of this data is gathered from a live system without relying on the Window's API.
Common Use
By default, this cmdlet parses the system SOFTWARE hive and all NTUSER.DAT hives on the system’s C: volume, but can be pointed at any logical volume. Individual hives (including exported hives) can be parsed using the -HivePath parameter in order to perform offline analysis. I’ve listed a few examples below.

Parse system and user hives for Run Key Persistence:
Get-ForensicRunKey -VolumeName C: | Format-List

Parse the system SOFTWARE hive for Run Key persistence:
Get-ForensicRunKey -HivePath ‘C:\Windows\System32\config\SOFTWARE’ | Format-List

Friday, March 4, 2016

Forensic Friday: Get-ForensicChildItem

[This is a continuation of my Forensic Friday series.  Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Welcome to another edition of Forensic Friday. I've been incredibly busy this week, but I want to touch on a very useful cmdlet called Get-ForensicChildItem. Those with a PowerShell background can probably guess what Get-ForensicChildItem does. For those that are new to PowerShell Get-ChildItem is the cmdlet that is used for directory listings (among other things). Get-ForensicChildItem performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains.

To understand what is happening it’s important to know that NTFS treats directories just like any other file. This means that directories each have an entry in the MFT. All NTFS does to differentiate a directory file from a data file is flip a bit in a flag field and adds special $INDEX_ROOT and $INDEX_ALLOCATION attributes to the directory file’s MFT entry. Get-ForensicChildItem parses these attributes to return the contents of a directory (including System and Hidden files).

Common Use

List all children of a directory (example targets the root of the C: volume):

Get-ForensicChildItem -Path C:\

List the children of the current working directory (example uses the C:\temp directory):


Return an MFT entry for every file in a directory (example uses the root directory of the C: volume):

Get-ForensicChildItem -Path C:\ | Get-ForensicFileRecord

- Invoke-IR - By Jared Atkinson -