Friday, April 1, 2016

Forensic Friday: Get-ForensicRunKey

[This article is a continuation of my Forensic Friday series.  Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Vote for PowerForensics for the Forensic 4:cast Awards' Open Source Digital Forensic Software of the Year!

Now back to your regularly scheduled programming! Yesterday, Vijay (@vakasapu on Twitter) asked if we are taking feature requests (specifically regarding autoruns like features) for PowerForensics.
Let me start by saying that we are very interested in community involvement! If you have ideas to make PowerForensics better, please let me know via email (jared@invoke-ir.com) or github. While PowerForensics does not currently support the extensive list of Auto Start Extensibility Points (ASEP), we do currently support a few of the more common auto start locations. This week I want to introduce Get-ForensicRunKey which parses the registry for entries in the numerous system and user based "run" keys. This cmdlet is built on top of PowerForensics' MFT and Registry Parser, so all of this data is gathered from a live system without relying on the Window's API.
Common Use
By default, this cmdlet parses the system SOFTWARE hive and all NTUSER.DAT hives on the system’s C: volume, but can be pointed at any logical volume. Individual hives (including exported hives) can be parsed using the -HivePath parameter in order to perform offline analysis. I’ve listed a few examples below.


Parse system and user hives for Run Key Persistence:
Get-ForensicRunKey -VolumeName C: | Format-List


Parse the system SOFTWARE hive for Run Key persistence:
Get-ForensicRunKey -HivePath ‘C:\Windows\System32\config\SOFTWARE’ | Format-List

20 comments:

  1. I’m a new pertaining to almost all of the articles or blog posts, My spouse and i definitely savored, I'd personally genuinely like additional files with regards to this specific, since it can be okay., Congratulations for the purpose of putting up. Graphics Designing

    ReplyDelete
  2. 카지노 Great article and excellent layout. Your blog post deserves all of the positive feedback it’s been getting.


    ReplyDelete
  3. 온라인카지노 I really fascinated by this excellent blog, thanks for such wonderful blog! Good job and more power!

    ReplyDelete
  4. Benefits it a lot for developing incredible articles its effective for us 스포츠토토

    ReplyDelete
  5. That’s what I love about your content. You have pour out your heart on it. 토토사이트

    ReplyDelete
  6. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts.

    Review my page please: 온라인카지노
    (mm)

    ReplyDelete
  7. A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post.
    고스톱

    ReplyDelete
  8. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.
    스포츠토토

    ReplyDelete
  9. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming.
    일본야동

    ReplyDelete
  10. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for.
    안전놀이터

    ReplyDelete
  11. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. A very awesome blog post.
    https://serialkeygens.com/advanced-systemcare-ultimate/

    ReplyDelete
  12. The Get-ForensicRunKey cmdlet parses the SOFTWARE and NTUSER.DAT hives to produce a list of applications that have been added to a "Run" key.
    Crackcon.com

    ReplyDelete
  13. Thanks for this great and very informative post share with us. I really aprreciated you for this hardworking.

    forevercrack.com

    ReplyDelete
  14. I’m very pleased to discover this site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every part of it and i also have you saved as a favorite to see new information on your blog. 먹튀사이트

    ReplyDelete
  15. What a post I've been looking for! I'm very happy to finally read this post. 먹튀검증 Thank you very much. Can I refer to your post on my website? Your post touched me a lot and helped me a lot. If you have any questions, please visit my site and read what kind of posts I am posting. I am sure it will be interesting.

    ReplyDelete
  16. I conceive this internet site has got some really good information for everyone :D. “Nothing great was ever achieved without enthusiasm.” by Ralph Waldo Emerson. 스포츠토토사이트

    ReplyDelete
  17. I've been searching for hours on this topic and finally found your post. 슬롯사이트, I have read your post and I am very impressed. We prefer your opinion and will visit this site frequently to refer to your opinion. When would you like to visit my site?

    ReplyDelete
  18. What a post I've been looking for! I'm very happy to finally read this post. 토토사이트 Thank you very much. Can I refer to your post on my website? Your post touched me a lot and helped me a lot. If you have any questions, please visit my site and read what kind of posts I am posting. I am sure it will be interesting.

    ReplyDelete
  19. Unbelievable!! The problem I was thinking about was solved.카지노사이트You are really awesome.

    ReplyDelete
  20. Hello, I'm happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look 메이저놀이터

    ReplyDelete

- Invoke-IR - By Jared Atkinson -