Friday, March 4, 2016

Forensic Friday: Get-ForensicChildItem

[This is a continuation of my Forensic Friday series.  Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Welcome to another edition of Forensic Friday. I've been incredibly busy this week, but I want to touch on a very useful cmdlet called Get-ForensicChildItem. Those with a PowerShell background can probably guess what Get-ForensicChildItem does. For those that are new to PowerShell Get-ChildItem is the cmdlet that is used for directory listings (among other things). Get-ForensicChildItem performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains.

To understand what is happening it’s important to know that NTFS treats directories just like any other file. This means that directories each have an entry in the MFT. All NTFS does to differentiate a directory file from a data file is flip a bit in a flag field and adds special $INDEX_ROOT and $INDEX_ALLOCATION attributes to the directory file’s MFT entry. Get-ForensicChildItem parses these attributes to return the contents of a directory (including System and Hidden files).

Common Use

List all children of a directory (example targets the root of the C: volume):

Get-ForensicChildItem -Path C:\

List the children of the current working directory (example uses the C:\temp directory):

Get-ForensicChildItem

Return an MFT entry for every file in a directory (example uses the root directory of the C: volume):

Get-ForensicChildItem -Path C:\ | Get-ForensicFileRecord



15 comments:

  1. Instantly this web site will irrefutably frequently end up being notable regarding all weblog consumers, due to diligent reviews as well as checks. Graphics Designing

    ReplyDelete
  2. A good business plan can save you time to succeed. I also have a tutorial page for those who are just start a new business. A very necessary condition for you when starting an idea. Find out about me.

    ReplyDelete
  3. Hello, I’m happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look 메이저사이트


    ReplyDelete
  4. I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it. 경마

    ReplyDelete
  5. Pretty! This was an extremely wonderful post. Thank you for providing this info 카지노


    ReplyDelete
  6. Wonderful, what a blog it is! This weblog gives useful facts to us, keep it up. 사설토토

    ReplyDelete
  7. this is interesting topic that's needs to be tackle . this site will bring you to the fullest 카지노커뮤니티
    (mm)

    ReplyDelete
  8. ForensicChildItem performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains. click this site

    ReplyDelete
  9. Thanks for this great and very informative post share with us
    visit here
    forevercrack.com

    ReplyDelete
  10. Thanks For This Great and Very Informative Post Share With us....

    Activators 4 Windows Free Activators for Windows

    ReplyDelete
  11. Normally I do not read post on blogs, but I wish to say that this write-up very forced me to try and do it! Your writing style has been surprised me.
    Thanks, very nice article.
    Reloader Activator

    ReplyDelete
  12. Normally I do not read post on blogs, but I wish to say that this write-up very forced me to try and do it! Your writing style has been surprised me.
    Thanks, very nice article.
    CrackedWay

    ReplyDelete
  13. Wonderful post however I was wanting to know if you could write a
    litte more on this topic? I’d be very grateful if you could elaborate a little bit further.
    Thank You So Much..

    Crackcon.com

    ReplyDelete

- Invoke-IR - By Jared Atkinson -