PowerForensics: un framework en PowerShell para el forense de discos

PowerForensics es un framework en PowerShell desarrollado por Jared Atkinson (@jaredcatkinson) cuyo propósito es proporcionar todo lo necesario para el análisis forense del disco duro. Actualmente PowerForensics soporta sistemas de archivos NTFS y FAT y se está trabajando en el soporte para el Sistema de Archivos Extendido (Extended File System) y soporte HFS+.

Para instalarlo tenemos dos opciones:

- mediante PowerShell Gallery:
PS> Find-Module -Name *Forensic*
PS> Save-Module -Name PowerForensics -Path <path>
PS> Install-Module -Name PowerForensics

* nota: especifica '-Scope CurrentUser' si quieres que sea usable por el usuario actual y se instale en %UserProfile%\Documents\WindowsPowerShell\Modules

- mediante el repositorio GitHub, bajándolo y descomprimiéndolo en el PSModulePath (normalmente en C:\Program Files\WindowsPowerShell\Modules\); o usando el instalador de Alexander Knorr:

iex (new-object System.Net.WebClient).DownloadString("https://gist.github.com/opexxx/93fbddd30552a5f8e628ec1388e79b9f/raw/afd73bf4d9f66f03537beaf16f154acc264c5012/PowerforensicsInstall.ps1")

Una vez instalado puedes ver todos los cmdlets con:
PS> Get-Command -Module PowerForensics

Boot Sector:
Get-ForensicMasterBootRecord - gets the MasterBootRecord from the first sector of the hard drive
Get-ForensicGuidPartitionTable - gets the GuidPartitionTable from the first sector of the hard drive
Get-ForensicBootSector - gets the appropriate boot sector (MBR or GPT) from the specified drive
Get-ForensicPartitionTable - gets the partition table for the specified drive
 
Extended File System 4 (ext4):
Get-ForensicSuperblock - returns the ext4 SuperBlock object
Get-ForensicBlockGroupDescriptor - returns the Block Group Descriptor Table entries
Get-ForensicInode - returns the Inode Table entries
New Technology File System (NTFS):
Get-ForensicAttrDef - gets definitions of MFT Attributes (parses $AttrDef)
Get-ForensicBitmap - determines if a cluster is marked as in use (parses $Bitmap)
Get-ForensicFileRecord - gets Master File Table entries (parses $MFT)
Get-ForensicFileRecordIndex - gets a file's MFT record index number
Get-ForensicUsnJrnl - getss Usn Journal Entries (parses $UsnJrnl:$J)
Get-ForensicUsnJrnlInformation - getss UsnJrnl Metadata (parses $UsnJrnl:$Max)
Get-ForensicVolumeBootRecord - gets the VolumeBootRecord from the first sector of the volume (parses $Boot)
Get-ForensicVolumeInformation - gets the $Volume file's $VOLUME_INFORMATION attribute
Get-ForensicVolumeName - gets the $Volume file's $VOLUME_NAME attribute
Get-ForensicFileSlack - gets the specified volume's slack space
Get-ForensicMftSlack - gets the Master File Table (MFT) slack space for the specified volume
Get-ForensicUnallocatedSpace - gets the unallocated space on the specified partition/volume (parses $Bitmap)
Windows Artifacts
Get-AlternateDataStream - gets the NTFS Alternate Data Streams on the specified volume
Get-ForensicEventLog - gets the events in an event log or in all event logs
Get-ForensicExplorerTypedPath - gets the file paths that have been typed into the Windows Explorer application
Get-ForensicNetworkList - gets a list of networks that the system has previously been connected to 
Get-ForensicOfficeFileMru - gets a files that have been recently opened in Microsoft Office
Get-ForensicOfficeOutlookCatalog - gets a Outlook pst file paths
Get-ForensicOfficePlaceMru - gets a directories that have recently been opened in Microsoft Office
Get-ForensicOfficeTrustRecord - gets files that have been explicitly trusted within MicrosoftOffice
Get-ForensicPrefetch - gets Windows Prefetch artifacts by parsing the file's binary structure
Get-ForensicRunKey - gets the persistence mechanism stored in registry run keys
Get-ForensicRunMostRecentlyUsed - gets the commands that were issued by the user to the run dialog
Get-ForensicScheduledJob - gets Scheduled Jobs (at jobs) by parsing the file's binary structures
Get-ForensicShellLink - gets ShellLink (.lnk) artifacts by parsing the file's binary structure
Get-ForensicSid - gets the machine Security Identifier from the SAM hive
Get-ForensicTimezone - gets the system's timezone based on the registry setting
Get-ForensicTypedUrl - gets the Universal Resource Locators (URL) that have been typed into Internet Explorer
Get-ForensicUserAssist - gets the UserAssist entries from the specified volume
Get-ForensicWindowsSearchHistory - gets the terms that have been searched for using the Windows Search feature
Application Compatibility Cache
Get-ForensicAmcache - gets previously run commands from the Amcache.hve registry hive
Get-ForensicRecentFileCache - gets previously run commands from the RecentFileCache.bcf file
Get-ForensicShimcache - gets previously run commands from the AppCompatCache (AppCompatibility on XP) registry key
Windows Registry
Get-ForensicRegistryKey - gets the keys of the specified registry hive
Get-ForensicRegistryValue - gets the values of the specified registry key
Forensic Timeline
ConvertTo-ForensicTimeline - converts an object to a ForensicTimeline object
Get-ForensicTimeline - creates a forensic timeline
Utilities
ConvertFrom-BinaryData - implements PowerForensics' BinShred API to parse binary data into an object
Copy-ForensicFile - creates a copy of a file from its raw bytes on disk 
Get-ForensicChildItem - returns a directory's contents by parsing the MFT structures
Get-ForensicContent - gets the content of a file from its raw bytes on disk
Invoke-ForensicDD - provides a bit for bit copy of a specified device
API pública 

PowerForensics se basa en una librería en C# (Assembly) que proporciona una API forense pública. Todos los cmdlets de este módulo se crean a partir de esa API pública y las tareas se pueden expandir fácilmente para crear nuevos cmdlets. Próximamente se publicará la información de la API.

Más información y proyecto en: https://github.com/Invoke-IR/PowerForensics

Comentarios