About a month ago, I posted about a PowerShell module I wrote called PowerForensics. At the time, the module was nothing more than a proof of concept, but I wanted to show the DFIR community that PowerShell is a viable option for scalable deep dive disk analysis.
Over the past month I have updated PowerForensics from a single DLL to a proper PowerShell module. The module now includes a module manifest; default object, formats, and types; and XML-based help for each cmdlet.
Developing PowerForensics has led to research and understanding of file system structures (mainly NTFS at this point) and file formats for forensic artifacts. I believe this research has made me a better analyst/hunter, and hope that the DFIR community can benefit from this data being centralized.
This is the first part of a multi-part series called "On the Forensic Trail". The purpose of the series is to introduce you to the capabilities of PowerForensics, but also to help build forensic literacy by breaking down each artifact.
This post will help you get PowerForensics up, running, and prepared to follow future posts.Installing PowerForensics
Please refer to my new post regarding PowerForensics Installation
Loading the Module into the PowerShell Session
Open PowerShell or PowerShell_ISE as administrator and import the module into the current session.
NOTE: Many of PowerForensics’ cmdlets require administrator privilege to run.
The syntax for importing the PowerForensics module is shown below.
If the above cmdlet gives you an error, verify that you followed the instructions for installing a PowerShell module.
Use the Get-Command cmdlet with the –Module parameter to list the cmdlets that come with the module.
Each PowerForensics cmdlet has help associated with it, which can be retrieved with the Get-Help cmdlet. Help includes a description of the cmdlet’s function, syntax, output objects, and usage examples.
You should now be ready to use PowerForensics. Stay tuned, in my next post I will dive into the Master Boot Record and the applicable PowerForensics cmdlets.