Brief explanation of PowerShell and usage of PowerForensics on PowerShell

1. Taha İslamYILMAZ
Computer Engineering
TOBB ETU
ADEO IWS - Computer Forensics
INVOKE-IR

2. Invoke-IR
• Windows PowerShell
• PowerForensics
• Demo

3. Invoke-IR
PowerForensics
Uproot
WMI Eventing

4. Windows PowerShell
New generation command – line interface
Users are able to link several commands
PS C:> Get-ChildItem C: | Get-ForensicFileRecord

5. Windows PowerShell-Cmdlets
Special commands
Easy to use
get-command
get-process p* | stop-process
get-process | where { $_.WS -gt 10MB } | stop-process

6. Windows PowerShell Functions
 Similary with programming languages
 Saving time when tackling repetitive tasks
function Stop-Script () {
"Script terminating..."
Write-Output "========================================================"
Exit }

7. Windows PowerShell Modules
 Set of related script files
 Easy to share
PowerForensics

8. PowerForensics
 Digital Forensics framework
 Currently supports NTFS files , in the process of adding support for ext4
file system

9. PowerForensics Cmdlets
 Boot Sector:
Get-ForensicMasterBootRecord - gets the MasterBootRecord from the
first sector of the hard drive
Get-ForensicGuidPartitionTable - gets the GuidPartitionTable from the
first sector of the hard drive
Get-ForensicPartitionTable - gets the partition table for the specified
drive

10. PowerForensics Cmdlets
 Windows Registry
Get-ForensicRegistryKey - gets the keys of the specified registry hive
Get-ForensicRegistryValue - gets the values of the specified registry key

11. PowerForensics Cmdlets
 Get-ForensicFileRecord - gets Master FileTable entries (parses $MFT)
Get-ForensicVolumeBootRecord - gets theVolumeBootRecord from the
first sector of the volume (parses $Boot)
Invoke-ForensicDD - provides a bit for bit copy of a specified device
Copy-ForensicFile - creates a copy of a file from its raw bytes on disk

12. How can we use locked file?
DEMOTIME

13. Thank you for listening to me !