PowerForensics v1.0.1 released – is a PowerShell digital forensics framework.
POWERFORENSICS V1.0.1 RELEASED – IS A POWERSHELL DIGITAL FORENSICS FRAMEWORK
with Cmdlets Function:
– Boot Sector
|
1
2
3
4
|
Get–MBR – parses the first sector of the hard drive and returns a MasterBootRecord object
Get–GPT – parses the first sector of the hard drive and returns a GuidPartitionTable object
Get–BootSector – parses the first sector of the hard drive and returns the appropriate boot sector (MBR or GPT)
Get–PartitionTable – parses the first sector of the hard drive and returns the partition table
|
– New Technology File System (NTFS)
|
1
2
3
4
5
6
7
8
9
10
11
|
Get–FileRecord – returns Master File Table entries
Get–FileRecordIndex – returns a file‘s MFT record index number
Get-DeletedFile – returns Master File Table entries of files that are marked as deleted
Get-AttrDef – parses the $AttrDef file to return definitions of MFT Attributes
Get-BadCluster – parses the $BadClus file to check for damaged clusters
Get-Bitmap – parses the $Bitmap file to determine if a cluster is marked as in use
Get-UsnJrnl – parses the $UsnJrnl file’s $J data attribute and returns USN Journal Entries
Get–UsnJrnlInformation – parses the $UsnJrnl file‘s $MAX data attribute and returns USN Journal Metadata
Get-VolumeBootRecord – parses the $Boot file located in the first sector of the volume and returns the VolumeBootRecord object
Get-VolumeInformation – parses the $Volume file’s $VOLUME_INFORMATION attribute and returns a VolumeInformation Object
Get–VolumeName – parses the $Volume file‘s $VOLUME_NAME attribute and returns the VolumeName
|
– Extended File System 4 (ext4)
|
1
2
3
|
Get–Superblock – returns the ext4 SuperBlock object
Get–BlockGroupDescriptor – returns the Block Group Descriptor Table entries
Get–Inode – returns the Inode Table entries
|
– Windows Artifacts
|
1
2
3
|
Get–VolumeShadowCopy – returns Win32_ShadowCopy objects
Get–Prefetch – parses the binary structure of Windows Prefetch files and returns a custom Prefetch object
Get–ScheduledJobRaw – parses the binary structure of Scheduled Jobs (at jobs) and returns a custom ScheduledJob object
|
– Utilities.
|
1
2
3
4
5
6
|
Invoke–DD – provides a bit for bit copy of a specified device
Copy–FileRaw – creates a copy of a file from its raw bytes on disk
Get–ChildItemRaw – returns a directory‘s contents by parsing the MFT structures
Get-ContentRaw – gets the content of a file from its raw bytes on disk
Get-Hash – returns a cryptographic hash for the specified file
Get-Timezone – determines a system’s timezone based on the registry setting
|
– Formatters:
|
1
|
Format–Hex – Formats byte array output into a hexdump
|