Taha İslam YILMAZComputer EngineeringTOBB ETUADEO IWS - Computer Forensics

INVOKE-IR

Invoke-IR

• Windows PowerShell• PowerForensics• Demo

Invoke-IR

PowerForensicsUprootWMI Eventing

Windows PowerShell

New generation command – line interfaceUsers are able to link several commands PS C:\> Get-ChildItem C: | Get-ForensicFileRecord

Windows PowerShell-CmdletsSpecial commandsEasy to use get-command get-process p* | stop-process get-process | where { $_.WS -gt 10MB } | stop-process

Windows PowerShell Functions Similary with programming languages Saving time when tackling repetitive tasks function Stop-Script () { "Script terminating..." Write-Output "========================================================" Exit }

Windows PowerShell Modules Set of related script files Easy to share PowerForensics

PowerForensics Digital Forensics framework Currently supports NTFS files , in the process of

adding support for ext4 file system

PowerForensics Cmdlets Boot Sector:Get-ForensicMasterBootRecord - gets the

MasterBootRecord from the first sector of the hard drive

Get-ForensicGuidPartitionTable - gets the GuidPartitionTable from the first sector of the hard drive

Get-ForensicPartitionTable - gets the partition table for the specified drive

PowerForensics Cmdlets Windows Registry

Get-ForensicRegistryKey - gets the keys of the specified registry hive

Get-ForensicRegistryValue - gets the values of the specified registry key

PowerForensics Cmdlets Get-ForensicFileRecord - gets Master File Table

entries (parses $MFT)Get-ForensicVolumeBootRecord - gets the

VolumeBootRecord from the first sector of the volume (parses $Boot)

Invoke-ForensicDD - provides a bit for bit copy of a specified device

Copy-ForensicFile - creates a copy of a file from its raw bytes on disk

How can we use locked file?

DEMO TIME

Thank you for listening to me !