The document provides a comprehensive overview of NTFS analysis using PowerShell, detailing the functionalities of various cmdlets for forensic investigation. It emphasizes the importance of being forensically sound while collecting data, and illustrates the capabilities of the PowerForensics toolkit for examining disk structures and file systems. Key topics include raw access to physical drives, handling master boot records, analyzing the Master File Table, and utilizing alternate data streams for security purposes.

1. NTFS Analysis with PowerShell
Jared Atkinson
Veris Group’s Adaptive Threat Division

2. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive
detection and response to advanced threats in Fortune
100 commercial environments
□Adjunct Lecturer at Utica College
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
○ Makes really cool posters :-)
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GREM, and more

3. Intro to PowerShell
“Microsoft’s [Digital Forensic] platform”
-obscuresec with some liberties…

4. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface
○ Independent software vendors and enterprise
developers can build custom tools and utilities to
administer their software.
□Full access to the Windows API

5. Response
PowerForensics
Old Dog, New Tricks
Detection Investigation

6. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage

7. Forensically Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey

8. Forensics Toolbox

13. Fast?!?

14. Understanding
Modules
Extensibility for the win!

15. Download
PowerForensics
http://download.powerforensics.invoke-ir.com
OR
https://www.github.com/Invoke-IR/PowerForensics

16. Unblock-File
○ PowerShell v3 gives us Unblock-File
Unblock-File -Path "$env:UserProfileDownloadsPowerForensics-master.zip"
○Can also “Unblock” via the
file’s properties dialog
□Best to Unblock the zip before
extraction
○Unblocking will remove the
Zone.Identifier Alternate
Data Stream

17. PSModulePath
○ PSModulePath
○ Naming Convention
More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx

18. Import-Module
Import-Module -Name PowerForensics
Get-Command -Module PowerForensics

19. PowerForensics Install Demo

20. Invoke-DD
○One Cmdlet to rule them all
□Underlying API is basis for all of PowerForensics
○Allows raw access to Physical Drive or Logical Volume
□Uses Platform Invoke to call CreateFile Windows API
□Opens a file handle to .PHYSICALDRIVEX or Logical
Volume
□Reads from file handle via FileStream object
□Warning: Must read in Sector increments (BlockSize
must be a multiple of 512)
$InFile = ‘.PHYSICALDRIVE0’
Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –Count 1

21. Invoke-DD Demo

22. Boot Sectors
Where the action begins…

23. Master Boot Record
○1st Sector of the Disk
□Also referred to as the Boot Sector
○Boot Code
□Locate Partition Table
□Find 1st “Bootable” partition
□Determine partition Logical Cluster Number
□Pass execution to first sector of partition (Volume
Boot Record)
○Partition Table
□Space for 4 partitions by default
□“Extended Partitions” allow for additional partitions
above 4

25. Get-MBR
○Cmdlet to parse the MBR and return MasterBootRecord objects
○Use WMI to list available Devices:
$Devices = Get-WmiObject –Class Win32_DiskDrive
○Run Get-MBR against one of the returned drives:
Get-MBR –Path $Devices[0].DeviceID

26. Boot Kits
○Attackers can alter MBR Boot Code
□ Code runs in Ring 0 (before the OS Loads)
○Set-MasterBootRecord
□Proof of concept written by Matt Graeber
(@mattifestation)
□Allows a user with administrator privilege to
overwrite the Master Boot Record with arbitrary
code
○Get-MBR takes known Boot Code into
account and detects any changes
(tampering)

27. MBR Bootkit Demo

28. MBR Boot Code
(Pre Infection)

29. MBR Boot Code
(Post Infection)

30. MBR Boot Code
(Post Infection)

31. GUID Partition Table
○Replacement Boot Sector format for MBR
□UEFI compliant devices must support GPT
□Maintains a Protective MBR, in the disk’s 1st Sector,
for compatibility
○Alternative to Legacy Master Boot Record
□Maintains a Protective MBR, in the disk’s 1st Sector,
for compatibility
□Allows for increased partition sizes (2 TiB -> 8 ZiB)
□Supports many primary partitions (MBR supports 4)
□Creates Primary and Backup partition table for
redundancy

33. Get-GPT
○Cmdlet to parse the GPT and return GuidPartitionTable objects
○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive
○Run Get-GPT against one of the returned drives:
Get-GPT –Path .PHYSICALDRIVE1
○Warning: Get-GPT will error if device is MBR formatted
○If Get-MBR is run against a GPT formatted device, then Get-
MBR will return the information about the Protective MBR

34. Get-BootSector
○Format agnostic Cmdlet to parse Boot Sectors (MBR or GPT)
○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive
○Run Get-BootSector against one of the returned drives:
Get-BootSector –Path .PHYSICALDRIVE0
Get-Bootsector –Path .PHYSICALDRIVE1

35. ○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects
○MBR formatted device
Get-PartitionTable –Path .PHYSICALDRIVE2
○GPT formatted device
Get-PartitionTable –Path .PHYSICALDRIVE1
Get-PartitionTable

36. NTFS System Files

37. NTFS System
Files
# Filename # Filename
0 $MFT 8 $BadClus
1 $MFTMirr 9 $Secure
2 $LogFile 10 $UpCase
3 $Volume 11 $Extend
4 $AttrDef $ObjId
5 Root Directory (.) $Quota
6 $Bitmap $Reparse
7 $Boot $UsnJrnl

38. Volume Boot
Record
$Boot (7)
○1st Sector of partition
□Location of partition is pointed to by the Partition
table (MBR of GPT)
○Loads the BOOTMGR Loader
○Defines partition attributes
□ Bytes per Sector
□Sectors per Cluster
□Total Sectors
□Location of MFT
□Size of MFT Record
□Size of INDX Structure

40. Get-VolumeBootRecord
○Cmdlet to parse the VBR and return VolumeBootRecord objects
○Execute Cmdlet with “VolumeName” parameter
$VBR = Get-VolumeBootRecord –VolumeName .C:
○Often useful to pair with low level cmdlets like Invoke-DD

41. Master File Table
$MFT (0)
○NTFS file table
□First file present on NTFS partition
□Contains at least one entry for every file, on an
NTFS Volume, including itself
□As files are added the MFT grows
□When files are deleted, the MFT marks the file’s
record as unallocated so a new file can take its
place
○Each record contains file metadata
□MACB Timestamps
□File name details (name, path, hard links)
□Location of Data

43. Get-FileRecord
○Cmdlet to parse the MFT and return FileRecord objects
○Three different ways to use:
1) Get all MFT Records
$mft = Get-FileRecord -VolumeName .C:
2) Get a FileRecord by path
Get-FileRecord –Path C:Windowsnotepad.exe
3) Get a FileRecord by Record Number/Index value
Get-FileRecord -VolumeName .C: -Index 0

44. Temporal Funneling
○Large amounts of data may not be relevant to
our case
□Temporal Funneling/Pivoting allows analysts to reduce
noise & focus on artifacts associated with the investigation
$mft = Get-FileRecord
$start = New-Object DateTime(2015,08,21,13,05,00)
$end = New-Object DateTime(2015,08,21,14,05,00)
$mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}

45. Temporal Funneling Demo

46. MFT Attributes
Typ
e
Name Typ
e
Name
0x10 $STANDARD_INFORMATION 0x90 $INDEX_ROOT
0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION
0x30 $FILE_NAME 0xB0 $BITMAP
0x40 $OBJECT_ID 0xC0 $REPARSE_POINT
0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION
0x60 $VOLUME_NAME 0xE0 $EA
0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET
0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM

51. Recover Deleted File Demo

52. Access SAM Hive Demo

53. Get-ContentRaw
○Cmdlet to parse $DATA Attributes to determine the location
of a file’s contents on disk
□Finds the file’s MFT Record and the main $DATA Stream
□Outputs the contents of the file to Standard Out
○Different Encoding Options
□ASCII
□Unicode
□Bytes
Get-ContentRaw –Path C:Windowssystem32configSAM

54. Copy-FileRaw
○Cmdlet to parse $DATA Attributes to determine the location of a
file’s contents on disk
□Finds the file’s MFT Record and the main $DATA Stream
□Creates a copy of the specified file without accessing the file
itself
$Path = C:Windowssystem32configSAM
$Destination = C:tempSAM
Copy-FileRaw –Path $Path –Destination $Destination

55. Alternate Data
Streams
○NTFS allows files to store data in multiple
“$DATA” attributes
□These additional $DATA attributes are commonly
referred to as Alternate Data Streams (ADS)
○Attackers have found ways to hide and even
execute malware from ADS
□Windows legitimately uses ADS to identify files
downloaded from the internet (Zone.Identifier)
○PowerShell added ADS compatibility to many
cmdlets, but did not add the ability to
recursively list all files with ADS

56. Get-
AlternateDataStream
○Cmdlet to easily find and list Alternate Data Streams on NTFS
○Use cases:
1) List all Alternate Data Streams
$ads = Get-AlternateDataStream
2) List files downloaded via Internet Explorer
$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}
3) List Alternate Data Streams for a specific file
Get-AlternateDataStream –Path ‘C:$Extend$UsnJrnl’
4) List Alternate Data Streams not created by the Internet Explorer
$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}

57. Alternate Data Streams Demo

60. Get-ChildItemRaw
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION
attributes to output a directory’s contents
□Lists system and hidden files
□Output object has a RecordNumber parameter
Get-ChildItemRaw
Get-ChildItemRaw –Path C:Windows

61. Get-ChildItemRaw Demo

62. Get-FileRecordIndex
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION
attributes and returns a file’s MFT Record Number
□Starts with the root directory’s MFT entry (index 5) and works
through the tree until the requested files index can be found
□Can be teamed with Get-FileRecord
$rnumber = Get-FileRecordIndex –Path C:Windowsnotepad.exe
Get-FileRecord –VolumeName .C: -Index $rnumber

63. Get-FileRecordIndex Demo

64. $UsnJrnl
○NTFS Change Journaling
□Keeps track of changes to files or directories in a
volume
□Changes are documented with the filename,
timestamp of change, and description of change
□Can be leveraged by backup utilities (ex Volume
Shadow Service)
○Two named data streams:
□$MAX: UsnJrnl metadata (first entry number,
maximum size of journal, etc.)
□$J: Contains the actual Journal entries

65. $UsnJrnl
Reasons
BASIC_INFO_CHANGE INDEXABLE_CHANGE
CLOSE NAMED_DATA_EXTEND
COMPRESSION_CHANGE NAMED_DATA_OVERWRITE
DATA_EXTEND NAMED_DATA_TRUNCATION
DATA_OVERWRITE OBJECT_ID_CHANGE
DATA_TRUNCATION RENAME_NEW_NAME
EA_CHANGE RENAME_OLD_NAME
ENCRYPTION_CHANGE REPARSE_POINT_CHANGE
FILE_CREATE SECURITY_CHANGE
FILE_DELETE STREAM_CHANGE
HARD_LINK_CHANGE

67. Get-UsnJrnlInformation
○Cmdlet to parse the UsnJrnl’s $MAX Data Stream
○Returns Metadata about the UsnJrnl
Get-UsnJrnlInformation –VolumeName .C:

69. Get-UsnJrnl
○Cmdlet to parse the UsnJrnl’s $J Data Stream
○Use Cases:
□Get all UsnJrnl Entries
$usn = Get-UsnJrnl –VolumeName .C:
□Get the most recent UsnJrnl entry for C:temphelloworld.txt
$r = Get-FileRecord –Path C:temphelloworld.txt
$usn = $r.Attribute[0].UpdateSequenceNumber
Get-UsnJrnl –VolumeName .C: -USN $usn

70. File Creation & Modification Demo

71. UsnJrnl ADS Demo

72. Artifacts

73. Prefetch

75. Get-Prefetch
○Cmdlet to parse the Windows Prefetch binary file format
○Use Cases:
□Get all Prefetch objects from files in the “WindowsPrefetch”
directory
Get-Prefetch –VolumeName .C:
□Get the Prefetch object from the file specified by the Path parameter
Get-Prefetch –Path C:WindowsPrefetchCMD.EXE-01C678D0.pf
□Another option is looking for .pf file operations in the UsnJrnl
Get-UsnJrnl | ? {$_.FileName –like “*.pf”}

76. Prefetch Demo

77. Get-
ScheduledJobRaw
○Cmdlet to parse the Scheduled (At) Job binary file format
○Use Cases:
□Get all ScheduledJob objects from files in the “WindowsTasks” directory
Get-ScheduledJobRaw –VolumeName .C:
□Get the ScheduledJob object from the file specified by the Path parameter
Get-ScheduledJobRaw -Path C:WindowsTasksAt1.job

78. Moving Forward
○More artifacts!!
□Registry support
□ESE database support
○Organic Remoting (more robust)
○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT
□Linux: Ext2, Ext3, Ext4
□Mac: HFS+
○Online documentation (Open API)
○WMI Provider with Events
○Community Involvement!!!

79. @jaredcatkinson
https://github.com/Invoke-IR/PowerForensics
https://github.com/Invoke-IR/PowerForensics_Source
Any questions?

80. Extra Slides!!!

81. $Volume (3)
○File containing metadata about its partition/volume
○Made up of two special attributes $VOLUME_NAME and
$VOLUME_INFORMATION
□Two cmdlets: Get-VolumeName and Get-
VolumeInformation
Get-VolumeName –VolumeName .C:
Get-VolumeInformation –VolumeName .C:

84. $AttrDef (4)
○System file that contains details about all
file attributes available to the volume
Get-AttrDef –VolumeName .C:

86. $Bitmap (6)
$BadClus (8)
○NTFS has two files to tell the File System
what Clusters can be used
○File contents are bit fields where each bit
represents a specific cluster
□$Bitmap: Each bit represents whether the
associated cluster is allocated by the file system
□$BadClus: Each bit represents whether the
associated cluster is corrupted or not

87. Get-Bitmap
Get-BadClus
○Cmdlet to parse bit fields contained within their
respective files ($BITMAP and $BADCLUS)
○Use cases:
□Parse the $BITMAP file to determine if the specified
cluster is allocated
Get-Bitmap –VolumeName .C: -Cluster 1000
□Parse the $BADCLUS file to report on any clusters
that have been marked as corrupt by the file system
Get-BadClus –VolumeName .C: