Friday, February 5, 2016

Forensic Friday: Get-ForensicFileRecord

[This is the first article in my Forensic Friday series.  Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Lets start with Get-ForensicFileRecord, the PowerForensics cmdlet I tend to use the most.  This cmdlet parses the Master File Table (MFT) of an NTFS formatted volume (more formats are in the works).  This function provides the base for all other NTFS based PowerForensics cmdlets and allows an analyst to perform a variety of different tasks (finding files, recovering deleted files, detecting timestomping, etc).  As always, please leave any questions or comments about this post below, maybe you’ll inspire the next Forensic Friday post!

Common Use

By default, this cmdlet parses the $MFT file on the system’s C: volume but can be pointed at any logical volume. The -Index and -Path parameters tell Get-ForensicFileRecord to parse and return a single MFT File Record. Lastly, an exported $MFT file can be parsed using the -MftPath parameter in order to perform offline analysis. I’ve listed a few examples below.

Parse a volume’s Master File Table and store in $mft variable (Example using volume “C:”):
$mft = Get-ForensicFileRecord -VolumeName C:

Parse MFT record based on Index/Record Number (Example with Index 0):
Get-ForensicFileRecord -Index 0

Parse MFT record based on file path (Example with C:\Windows\System32\config\SAM):
Get-ForensicFileRecord -Path C:\Windows\System32\config\SAM

Parse an exported Master File Table (Example for C:\evidence\MFT):
$mft = Get-ForensicFileRecord -MftPath C:\evidence\MFT


8 comments:

  1. Je ne suis pas vraiment un lecteur Internet pour être honnête mais vos blogs vraiment sympa, continue comme ça ! 에볼루션카지노 Je vais aller de l'avant et ajouter votre site à vos favoris pour revenir à l'avenir. advgamble.com

    ReplyDelete
  2. 스포츠중계 thank you for such a wonderful article I liked it very much I was interested in reading it and now I advise everyone to read it! if you read something that just is

    ReplyDelete
  3. 스포츠토토 Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative.

    ReplyDelete
  4. 바카라사이트 Impressive web site, Distinguished feedback that I can tackle. I am moving forward and may apply to my current job which is very enjoyable, but I need to additional expand.

    ReplyDelete
  5. 스포츠중계 very helpful post .Feel Free to ask any questions .


    ReplyDelete
  6. This post has really great knowledge with getable words, I appreciate the person who worked on it, Keep it continue, To get something Extraordinary click on the link.Adult Service in Vaishali ||Chattarpur Best Russian Girls ||Greater Kailash HIgh Class Service ||Hauz Khas Night Services ||Independent Girls in Saket ||Hot Bhabhi in Hauz khaz||

    ReplyDelete

- Invoke-IR - By Jared Atkinson -