Power forensics

Power forensics

• 1.
  Donny Malla Reddy| DFIR SuperNinja Lionel Faleiro | Cybersecurity Analyst & Trainer
• 2.
  What is Powershell •Command line shell scripting language • Built on the .NET Framework • Cmdlets • Object manipulation • Access to Windows API • Extensible Interface
• 3.
  Why PowerForensics? • ‘Forensicallysound’ • Can be used for Live & Offline Forensics • Cheetah level quick • Chaining of cmdlets is possible • It provides us with a framework for Hard drive forensic analysis • Currently supports NTFS and FAT file systems • PowerForensics is built on a C# Class Library (Assembly) that provides a public API for forensic tasks. • The public API provides a modular framework for adding to the • capabilities exposed by the PowerForensics module.
• 4.
  Github • https://github.com/Invoke-IR/PowerForensics
• 5.
  Install | Import •Install-Module -Name PowerForensics • Import-Module -Name PowerForensics • Get-Command -Module PowerForensics
• 6.
  Finding Help • help<Command> -examples • help Get-ForensicShellLink -Parameter *
• 7.
  Get-ForensicRegistryKey • Cmdlet isused to extract data from a Registry Key • Get-ForensicRegistryKey -HivePath C:WindowsSystem32configSOFTWARE -Key Google
• 8.
  Get-ForensicTimeLine • cmdlet isused to create a Forensic Timeline from an Image or Drive • Get-ForensicTimeline -VolumeName D:
• 9.
  Get-ForensicTimeLine • Get-ForensicTimeline -VolumeNameG: | Select-Object -Property Date,ActivityType,SourceName,Description | Export-csv lionel.csv - notypeinformation
• 10.
  Get-ForensicRunKey • Cmdlet extractsRun values from the registry • Get-ForensicRunKey • Get-ForensicRunKey -HivePath
• 11.
  Get-ForensicScheduledJob • Get alist of scheduled jobs • Get-ForensicScheduledJob
• 12.
  Get-ForensicShellLink • Cmdlet usedto analyst Windows Shell LNK (Shortcuts) • Get-ForensicShellLink -Path C:UserslioneDesktopAtom.lnk • Get-ForensicShellLink -VolumeName .H: | Export-Excel demo.csv -AutoSize -FreezeTopRow • Get-ForensicShellLink -Path C:UserslioneDesktopAtom.lnk | Get- ForensicFileRecord -Path {$_.LocalBasePath}
• 13.
  Get-ForensicEventLog • Cmdlet isused to analyse Windows Event Logs Get-ForensicEventLog -Path H:WindowsSystem32winevtLogsSecurity.evtx #Sort by number of events each day $security | Group-Object {$_.WriteTime.ToString('yyyy-MM-dd')} | Sort- Object Count -Descending #Group & Filter by EventIDs $secgrop = $security | Group-Object EventData | Sort-Object Count - Descending
• 14.
  Other CmdLets • Get-AlternateDataStream- gets the NTFS Alternate Data Streams on the specified volume • Get-ForensicEventLog - gets the events in an event log or in all event logs • Get-ForensicExplorerTypedPath - gets the file paths that have been typed into the Windows Explorer application • Get-ForensicNetworkList - gets a list of networks that the system has previously been connected to
• 15.
  Other CmdLets • Get-ForensicOfficeFileMru- gets a files that have been recently opened in Microsoft Office • Get-ForensicOfficeOutlookCatalog - gets a Outlook pst file paths • Get-ForensicOfficePlaceMru - gets a directories that have recently been opened in Microsoft Office • Get-ForensicPrefetch - gets Windows Prefetch artifacts by parsing the file's binary structure • Get-ForensicRunMostRecentlyUsed - gets the commands that were issued by the user to the run dialog
• 16.
  Other CmdLets • Get-ForensicWindowsSearchHistory- gets the terms that have been searched for using the Windows Search feature • Get-ForensicTimezone - gets the system's timezone based on the registry setting • Get-ForensicTypedUrl - gets the Universal Resource Locators (URL) that have been typed into Internet Explorer
• 17.
  Case Study • AWeb server has been compromised. You are called to investigate the web server
• 18.
  Case Study Solution