Friday, April 24, 2015

On the Forensic Trail - Preparing for our Journey

About a month ago, I posted about a PowerShell module I wrote called PowerForensics.  At the time, the module was nothing more than a proof of concept, but I wanted to show the DFIR community that PowerShell is a viable option for scalable deep dive disk analysis.

Over the past month I have updated PowerForensics from a single DLL to a proper PowerShell module.  The module now includes a module manifest; default object, formats, and types; and XML-based help for each cmdlet.

Developing PowerForensics has led to research and understanding of file system structures (mainly NTFS at this point) and file formats for forensic artifacts.  I believe this research has made me a better analyst/hunter, and hope that the DFIR community can benefit from this data being centralized.

This is the first part of a multi-part series called "On the Forensic Trail".  The purpose of the series is to introduce you to the capabilities of PowerForensics, but also to help build forensic literacy by breaking down each artifact.

This post will help you get PowerForensics up, running, and prepared to follow future posts.

Installing PowerForensics
Please refer to my new post regarding PowerForensics Installation

Loading the Module into the PowerShell Session
Open PowerShell or PowerShell_ISE as administrator and import the module into the current session.

NOTE: Many of PowerForensics’ cmdlets require administrator privilege to run.

The syntax for importing the PowerForensics module is shown below.


If the above cmdlet gives you an error, verify that you followed the instructions for installing a PowerShell module.

Use the Get-Command cmdlet with the –Module parameter to list the cmdlets that come with the module.



Cmdlet Help
Each PowerForensics cmdlet has help associated with it, which can be retrieved with the Get-Help cmdlet.  Help includes a description of the cmdlet’s function, syntax, output objects, and usage examples.


Conclusion
You should now be ready to use PowerForensics.  Stay tuned, in my next post I will dive into the Master Boot Record and the applicable PowerForensics cmdlets.


4 comments:

  1. With hundreds of different helmets currently on the market, however, it can be extremely difficult to narrow the multitudes of offerings down to the handful of legitimately worthwhile, high-quality lids — a fact further complicated by the expansive array of different styles and genres of motorcycle helmets that currently exist. So, in order to help ensure you’re protecting your melon with the best possible brain bucket, we’ve put together this guide to today’s best motorcycle helmets. Below we’ll be delving into what makes for a quality helmet, what to look for and consider when shopping for one, how you should go about purchasing a lid, and of course, the latest and greatest from each category of motorcycle helmet.https://bestmotorcyclehelmets.net/best-dual-sport-motorcycle-helmets/

    ReplyDelete
  2. I like thinking about software. I make it coding tattoos on my body. In case you are going to get the very first tattoo that you always wanted best numbing spray, because it reduce the pain and free of harmful chemicals. This numbing spray safe to use for all skin type. read more

    ReplyDelete
  3. we’ve put together this guide to today’s best motorcycle helmets. Below we’ll be delving into what makes for a quality helmet, what to look for and consider when shopping for one, how you should go about purchasing a lid, and of course, the latest and greatest from each category you are good mane i like your artical i like TeamViewer crack free serial key

    ReplyDelete
  4. I make tattoo on my body after short time. Sleeping with a new tattoo without damaging are very simple because of wrap tattoo while sleeping. We have found that sleeping with a new tattoo is pretty simple. The only thing you have to do is follow some simple instructions to avoid damaging new tattoos while sleeping with new tattoos. We tried every possible thing to sleep with a new tattoo comfortably without damaging it and see more.

    ReplyDelete

- Invoke-IR - By Jared Atkinson -