Donny Malla Reddy | DFIR SuperNinja
Lionel Faleiro | Cybersecurity Analyst & Trainer

What is Powershell
• Command line shell scripting language
• Built on the .NET Framework
• Cmdlets
• Object manipulation
• Access to Windows API
• Extensible Interface

Why PowerForensics?
• ‘Forensically sound’
• Can be used for Live & Offline Forensics
• Cheetah level quick
• Chaining of cmdlets is possible
• It provides us with a framework for Hard drive forensic analysis
• Currently supports NTFS and FAT file systems
• PowerForensics is built on a C# Class Library (Assembly) that provides a
public API for forensic tasks.
• The public API provides a modular framework for adding to the
• capabilities exposed by the PowerForensics module.

Github
• https://github.com/Invoke-IR/PowerForensics

Install | Import
• Install-Module -Name PowerForensics
• Import-Module -Name PowerForensics
• Get-Command -Module PowerForensics

Finding Help
• help <Command> -examples
• help Get-ForensicShellLink -Parameter *

Get-ForensicRegistryKey
• Cmdlet is used to extract data from a Registry Key
• Get-ForensicRegistryKey -HivePath
C:WindowsSystem32configSOFTWARE -Key Google

Get-ForensicTimeLine
• cmdlet is used to create a Forensic Timeline from an Image or Drive
• Get-ForensicTimeline -VolumeName D:

Get-ForensicTimeLine
• Get-ForensicTimeline -VolumeName G: | Select-Object -Property
Date,ActivityType,SourceName,Description | Export-csv lionel.csv -
notypeinformation

Get-ForensicRunKey
• Cmdlet extracts Run values from the registry
• Get-ForensicRunKey
• Get-ForensicRunKey -HivePath

Get-ForensicScheduledJob
• Get a list of scheduled jobs
• Get-ForensicScheduledJob

Get-ForensicShellLink
• Cmdlet used to analyst Windows Shell LNK (Shortcuts)
• Get-ForensicShellLink -Path C:UserslioneDesktopAtom.lnk
• Get-ForensicShellLink -VolumeName .H: | Export-Excel demo.csv
-AutoSize -FreezeTopRow
• Get-ForensicShellLink -Path C:UserslioneDesktopAtom.lnk | Get-
ForensicFileRecord -Path {$_.LocalBasePath}

Get-ForensicEventLog
• Cmdlet is used to analyse Windows Event Logs
Get-ForensicEventLog -Path
H:WindowsSystem32winevtLogsSecurity.evtx
#Sort by number of events each day
$security | Group-Object {$_.WriteTime.ToString('yyyy-MM-dd')} | Sort-
Object Count -Descending
#Group & Filter by EventIDs
$secgrop = $security | Group-Object EventData | Sort-Object Count -
Descending

Other CmdLets
• Get-AlternateDataStream - gets the NTFS Alternate Data Streams
on the specified volume
• Get-ForensicEventLog - gets the events in an event log or in all
event logs
• Get-ForensicExplorerTypedPath - gets the file paths that have been
typed into the Windows Explorer application
• Get-ForensicNetworkList - gets a list of networks that the system
has previously been connected to

Other CmdLets
• Get-ForensicOfficeFileMru - gets a files that have been recently
opened in Microsoft Office
• Get-ForensicOfficeOutlookCatalog - gets a Outlook pst file paths
• Get-ForensicOfficePlaceMru - gets a directories that have recently
been opened in Microsoft Office
• Get-ForensicPrefetch - gets Windows Prefetch artifacts by parsing
the file's binary structure
• Get-ForensicRunMostRecentlyUsed - gets the commands that were
issued by the user to the run dialog

Other CmdLets
• Get-ForensicWindowsSearchHistory - gets the terms that have been
searched for using the Windows Search feature
• Get-ForensicTimezone - gets the system's timezone based on the
registry setting
• Get-ForensicTypedUrl - gets the Universal Resource Locators (URL)
that have been typed into Internet Explorer

Case Study
• A Web server has been compromised. You are called to investigate
the web server

Case Study Solution