en-US/PowerForensics.dll-Help.xml
<?xml version="1.0" encoding="utf-8" ?>
<helpItems xmlns="http://msh" schema="maml"> <!--Edited with: SAPIEN PowerShell HelpWriter 2015 v1.0.16--> <!--Generated by: SAPIEN PowerShell HelpWriter 2015 v1.0.16--> <!-- Module: PowerForensics Version: 1.0.0.3 --> <!--All Commands--> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>ConvertTo-ForensicTimeline</command:name> <maml:description> <maml:para>Converts an object to a ForensicTimeline object.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>ConvertTo</command:verb> <command:noun>ForensicTimeline</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The ConvertTo-ForensicTimeline cmdlet gets a PowerForensic object and formats it as a common ForensicTimeline object. You can use this cmdlet to make the output consistent with the output of the Invoke-ForensicTimeline cmdlet. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option. </maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>ConvertTo-ForensicTimeline</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Object to be converted to a ForensicTimeline object.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSObject</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByValue)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Object to be converted to a ForensicTimeline object.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PSObject</command:parameterValue> <dev:type> <maml:name>PSObject</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Management.Automation.PSObject</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Formats.ForensicTimeline</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-FileRecord 24212 | ConvertTo-ForensicTimeline Date : 8/22/2013 3:35:48 AM ActivityType : M... Source : MFT SourceType : User : FileName : C:\Windows\notepad.exe Description : [208896] C:\Windows\notepad.exe Date : 8/22/2013 3:35:49 AM ActivityType : .A.B Source : MFT SourceType : User : FileName : C:\Windows\notepad.exe Description : [208896] C:\Windows\notepad.exe Date : 9/10/2014 2:45:22 AM ActivityType : ..C. Source : MFT SourceType : User : FileName : C:\Windows\notepad.exe Description : [208896] C:\Windows\notepad.exe</dev:code> <dev:remarks> <maml:para>This command uses ConvertTo-ForensicTimeline to convert a FileRecord object to multiple ForensicTimeline objects. The cmdlet creates a ForensicTimeline object for each unique timestamp.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Copy-ForensicFile</command:name> <maml:description> <maml:para/> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Copy</command:verb> <command:noun>ForensicFile</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Copy-ForensicFile</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Destination</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Copy-ForensicFile</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Destination</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Destination</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None </maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicAlternateDataStream</command:name> <maml:description> <maml:para>Gets the NTFS Alternate Data Streams on the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicAlternateDataStream</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicAlternateDataStream cmdlet parses the Master File Table and returns AlternateDataStream objects for files that contain more than one $DATA attribute. NTFS stores file contents in $DATA attributes. The file system allows a single file to maintain multiple $DATA attributes. When a file has more than one $DATA attribute the additional attributes are referred to as "Alternate Data Streams".</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicAlternateDataStream</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicAlternateDataStream</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of a file that should be checked for alternate data streams.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of a file that should be checked for alternate data streams.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.AlternateDataStream</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicAlternateDataStream</dev:code> <dev:remarks> <maml:para>This example shows Get-ForensicAlternateDataStream getting all ADS on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicAmcache</command:name> <maml:description> <maml:para>Gets previously run commands from the Amcache.hve registry hive.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicAmcache</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-Amcache cmdlet parses the Amcache.hve registry hive to derive applications that were recently used. If you don't specify a hive path (-HivePath), the cmdlet parses the C:\Windows\AppCompat\Programs\Amcache.hve. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicAmcache</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicAmcache</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.Amcache</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-Amcache</dev:code> <dev:remarks> <maml:para>This example shows Get-Amcache being run against the default Amcache.hve (C:\Windows\AppCompat\Programs\Amcache.hve)</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-Amcache -HivePath C:\Windows\AppCompat\Programs\Amcache.hve</dev:code> <dev:remarks> <maml:para>This is an example of Get-Amcache taking a Amcache.hve as an argument.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicAttrDef</command:name> <maml:description> <maml:para>Gets information about all the Master File Table (MFT) file attributes usable in a volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicAttrDef</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-AttrDef cmdlet parses the $AttrDef file on the specified volume and returns information about all MFT file attributes usable in the volume. By default, the cmdlet parses the $AttrDef file on the C:\ drive. To change the target drive, use the VolumeName parameter or use the Path parameter to specify an exported $AttrDef file. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicAttrDef</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicAttrDef</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.AttrDef</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-AttrDef -VolumeName \\.\C: Name Type MinSize MaxSize ---- ---- ------- ------- $STANDARD_INFORMATION 16 48 72 $ATTRIBUTE_LIST 32 0 18446744073709551615 $FILE_NAME 48 68 578 $OBJECT_ID 64 0 256 $SECURITY_DESCRIPTOR 80 0 18446744073709551615 $VOLUME_NAME 96 2 256 $VOLUME_INFORMATION 112 12 12 $DATA 128 0 18446744073709551615 $INDEX_ROOT 144 0 18446744073709551615 $INDEX_ALLOCATION 160 0 18446744073709551615 $BITMAP 176 0 18446744073709551615 $REPARSE_POINT 192 0 16384 $EA_INFORMATION 208 8 8 $EA 224 0 65536 $LOGGED_UTILITY_STREAM 256 0 65536</dev:code> <dev:remarks> <maml:para>This example shows returning the MFT Attribute definitions for the C Volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-AttrDef -Path 'C:\$AttrDef' Name Type MinSize MaxSize ---- ---- ------- ------- $STANDARD_INFORMATION 16 48 72 $ATTRIBUTE_LIST 32 0 18446744073709551615 $FILE_NAME 48 68 578 $OBJECT_ID 64 0 256 $SECURITY_DESCRIPTOR 80 0 18446744073709551615 $VOLUME_NAME 96 2 256 $VOLUME_INFORMATION 112 12 12 $DATA 128 0 18446744073709551615 $INDEX_ROOT 144 0 18446744073709551615 $INDEX_ALLOCATION 160 0 18446744073709551615 $BITMAP 176 0 18446744073709551615 $REPARSE_POINT 192 0 16384 $EA_INFORMATION 208 8 8 $EA 224 0 65536 $LOGGED_UTILITY_STREAM 256 0 65536</dev:code> <dev:remarks> <maml:para>This example shows Get-AttrDef being run against an exported file.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicBitmap</command:name> <maml:description> <maml:para>Determines whether the specified cluster is allocated.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicBitmap</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-Bitmap cmdlet parses the $Bitmap file to determine whether or not the specified cluster is allocated. By default, the cmdlet parses the $Bitmap file on the C:\ drive. To change the target drive, use the VolumeName parameter or use the Path parameter to specify an exported $Bitmap file. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicBitmap</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Cluster</maml:name> <maml:description> <maml:para>The cluster number to check for allocation.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicBitmap</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Cluster</maml:name> <maml:description> <maml:para>The cluster number to check for allocation.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Cluster</maml:name> <maml:description> <maml:para>The cluster number to check for allocation.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue> <dev:type> <maml:name>UInt64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.Bitmap</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-Bitmap -Cluster 1000 Cluster InUse ------- ----- 1000 True</dev:code> <dev:remarks> <maml:para>This example shows Get-Bitmap being used to check Cluster 1000's allocation status.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-Bitmap -Cluster 1000 -Path 'C:\$Bitmap' Cluster InUse ------- ----- 1000 True</dev:code> <dev:remarks> <maml:para>This example shows Get-Bitmap checking cluster 1000 of the exported C:\$Bitmap file.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicBootSector</command:name> <maml:description> <maml:para>Gets the Boot Sector (Master Boot Record or Guid Partition Table) for the specified physical drive.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicBootSector</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-BootSector cmdlet parses Logical Block Address 0 of the specified physical drive, determines whether the disk is formatted using a Master Boot Record or a Guid Partition Table, and returns a MasterBootRecord or GuidPartitionTable object. You can also use the AsBytes switch parameter to return the raw bytes of the Boot Sector. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option. Use this cmdlet instead of Get-MasterBootRecord or Get-GuidPartitionTable when the disk's partitioning scheme is unknown.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicBootSector</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Specifies that the Guid Partition Table is returned as raw bytes instead of as a custom object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Specifies that the Guid Partition Table is returned as raw bytes instead of as a custom object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.MasterBootRecord</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>PowerForensics.GuidPartitionTable</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <maml:description> <maml:para>If you use the AsBytes parameter, Get-ForensicBootSector returns the raw bytes of the boot sector. Otherwise, it returns a MasterBootRecord or GuidPartitionTable object. </maml:para> </maml:description> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-BootSector -Path \\.\PHYSICALDRIVE0 MBRSignature DiskSignature BootCode PartitionTable ------------ ------------- -------- -------------- Windows 6.1+ 82D4BA7D {51, 192, 142, 208...} {NTFS}</dev:code> <dev:remarks> <maml:para>This example shows Get-MBR being used to return the MBR object from \\.\PHYSICALDRIVE0.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-BootSector -Path \\.\PHYSICALDRIVE1 Revision : 0.1 HeaderSize : 92 MyLBA : 1 AlternateLBA : 20971519 FirstUsableLBA : 34 LastUsableLBA : 20971486 DiskGUID : f913e110-0835-4cf1-96c7-380b5db4a42d PartitionEntryLBA : 2 NumberOfPartitionEntries : 128 SizeOfPartitionEntry : 128 PartitionTable : {Microsoft reserved partition, Basic data partition, Basic data partition}</dev:code> <dev:remarks> <maml:para>This example shows Get-BootSector being used to return the GPT object from \\.\PHYSICALDRIVE1.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-MBR -Path \\.\PHYSICALDRIVE2 -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3.....|......|.. 0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .......Ph....... 0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ....~..|........ 0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 .....V.U.F...F.. 0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 .A..U..]r...U.u. 0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ....t..F.f`.~..t 0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h. 0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h...B.V..... 0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ............|.V. 0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE .v..N..n...fas.. 0x000000A0 4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u..~.......... 0x000000B0 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2..V...]...>.}U 0x000000C0 AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 .un.v....u.....d 0x000000D0 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 ......`.|....d.u 0x000000E0 00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .......f#.u;f..T 0x000000F0 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2....r,fh... 0x00000100 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf 0x00000110 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f 0x00000120 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah.....Z2...|... 0x00000130 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 ..............2. 0x00000140 05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ......<.t....... 0x00000150 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 ......+..d..$... 0x00000160 24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $..Invalid parti 0x00000170 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error 0x00000180 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 loading operati 0x00000190 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin 0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst 0x000001B0 65 6D 00 00 00 63 7B 9A B3 64 EE 2F 00 00 00 20 em...c{..d./... 0x000001C0 21 00 07 65 24 41 00 08 00 00 00 00 10 00 00 65 !..e$A.........e 0x000001D0 25 41 0B AA 28 82 00 08 10 00 00 00 10 00 00 AA %A..(........... 0x000001E0 29 82 0B EF 2C C3 00 08 20 00 00 00 10 00 00 EF )...,... ....... 0x000001F0 2D C3 0F FE FF 90 00 08 30 00 00 F0 AF 00 55 AA -.......0.....U.</dev:code> <dev:remarks> <maml:para>This example shows how the AsBytes parameter returns the Boot Sector as a byte array.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicChildItem</command:name> <maml:description> <maml:para/> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicChildItem</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicChildItem</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None </maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicContent</command:name> <maml:description> <maml:para/> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicContent</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicContent</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Encoding</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">FileSystemCmdletProviderEncoding</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="First , Head"> <maml:name>TotalCount</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Last"> <maml:name>Tail</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicContent</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Index</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Encoding</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">FileSystemCmdletProviderEncoding</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="First , Head"> <maml:name>TotalCount</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Last"> <maml:name>Tail</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Encoding</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">FileSystemCmdletProviderEncoding</command:parameterValue> <dev:type> <maml:name>FileSystemCmdletProviderEncoding</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="First , Head"> <maml:name>TotalCount</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> <dev:type> <maml:name>Int64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Last"> <maml:name>Tail</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">Int64</command:parameterValue> <dev:type> <maml:name>Int64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Index</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None </maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicEventLog</command:name> <maml:description> <maml:para>Gets the events in an event log or in all event logs.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicEventLog</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicEventLog cmdlet parses the specified event Log file and returns an array of EventRecord objects. If you don't specify an event log, Get-ForensicEventLog parses all event logs in the C:\Windows\system32\winevt\Logs directory. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicEventLog</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition (Ex. \\.\C:, \\.\HARDDISKVOLUME1, or C).</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicEventLog</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the path of the file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition (Ex. \\.\C:, \\.\HARDDISKVOLUME1, or C).</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the path of the file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.EventLog.EventRecord</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicEventLog</dev:code> <dev:remarks> <maml:para>This command runs Get-ForensicEventLog to parse all event logs in the C:\windows\system32\winevt\logs\ directory.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-EventLog -Path C:\evidence\Application.evtx</dev:code> <dev:remarks> <maml:para>This command uses Get-EventLog to parse an exported Application event log</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicExplorerTypedPath</command:name> <maml:description> <maml:para>Gets the file paths that have been typed into the Windows Explorer application.</maml:para> </maml:description> <maml:copyright> <maml:para> </maml:para> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicExplorerTypedPath</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicExplorerTypedPath cmdlet parses a user's NTUSER.DAT file to derive the file paths that have been typed into the Windows Explorer application. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicExplorerTypedPath</maml:name> <command:parameter required="true" pipelineinput="false" globbing="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para> </maml:para> </maml:description> <dev:type> <maml:name>System.String</maml:name> <maml:uri> </maml:uri> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicExplorerTypedPath -HivePath C:\Users\Public\NTUSER.DAT</dev:code> <dev:remarks> <maml:para>This command gets the URLs typed into Internet Explorer from the C:\Users\Public\NTUSER.DAT hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicFileRecord</command:name> <maml:description> <maml:para>Gets the file records from the Master File Table of the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicFileRecord</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicFileRecord cmdlet parses the $MFT file and returns an array of FileRecord entries. By default, this cmdlet parses the $MFT file on the C:\ drive. To change the target drive, use the VolumeName parameter or use the Path parameter to specify an exported $MFT file. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicFileRecord</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index number of the desired Master File Table entry.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master File Table Entry as byte array instead of as FileRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicFileRecord</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the desired Master File Table entry.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master File Table Entry as byte array instead of as FileRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicFileRecord</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>MftPath</maml:name> <maml:description> <maml:para>Path to an exported Master File Table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index number of the desired Master File Table entry.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master File Table Entry as byte array instead of as FileRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the desired Master File Table entry.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>MftPath</maml:name> <maml:description> <maml:para>Path to an exported Master File Table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.FileRecord</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecord</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecord to return all records from the Master File Table on the default C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecord -VolumeName C: -Index 0 FullName : C:\$MFT Name : $MFT SequenceNumber : 1 RecordNumber : 0 ParentSequenceNumber : 5 ParentRecordNumber : 5 Directory : False Deleted : False ModifiedTime : 8/13/2015 9:35:13 PM AccessedTime : 8/13/2015 9:35:13 PM ChangedTime : 8/13/2015 9:35:13 PM BornTime : 8/13/2015 9:35:13 PM FNModifiedTime : 8/13/2015 9:35:13 PM FNAccessedTime : 8/13/2015 9:35:13 PM FNChangedTime : 8/13/2015 9:35:13 PM FNBornTime : 8/13/2015 9:35:13 PM</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecord to get the Master File Table record at index 0 on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecord -Path C:\Windows\system32\cmd.exe FullName : C:\Windows\System32\cmd.exe Name : cmd.exe SequenceNumber : 1 RecordNumber : 38224 ParentSequenceNumber : 1 ParentRecordNumber : 4061 Directory : False Deleted : False ModifiedTime : 7/10/2015 10:59:58 AM AccessedTime : 7/10/2015 10:59:58 AM ChangedTime : 10/21/2015 2:07:46 PM BornTime : 7/10/2015 10:59:58 AM FNModifiedTime : 8/13/2015 9:35:46 PM FNAccessedTime : 8/13/2015 9:35:46 PM FNChangedTime : 8/13/2015 9:35:46 PM FNBornTime : 8/13/2015 9:35:46 PM</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecord to get the Master File Table record for C:\Windows\system32\cmd.exe.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 4 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecord -Path C:\Windows\notepad.exe -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 46 49 4C 45 30 00 03 00 73 2B 77 13 00 00 00 00 FILE0...s+w..... 0x00000010 01 00 02 00 38 00 01 00 00 03 00 00 00 04 00 00 ....8........... 0x00000020 00 00 00 00 00 00 00 00 0E 00 00 00 F0 5F 01 00 ............._.. 0x00000030 0B 00 72 00 00 00 00 00 10 00 00 00 60 00 00 00 ..r.........`... 0x00000040 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H....... 0x00000050 28 FE C1 84 F0 D5 D0 01 20 47 DB 80 8A CD D0 01 (....... G...... 0x00000060 DB 9C 17 87 F7 D5 D0 01 28 FE C1 84 F0 D5 D0 01 ........(....... 0x00000070 20 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0x00000080 00 00 00 00 15 02 00 00 00 00 00 00 00 00 00 00 ................ 0x00000090 B0 05 DB 02 00 00 00 00 30 00 00 00 70 00 00 00 ........0...p... 0x000000A0 00 00 00 00 00 00 0B 00 58 00 00 00 18 00 01 00 ........X....... 0x000000B0 B9 05 00 00 00 00 01 00 28 FE C1 84 F0 D5 D0 01 ........(....... 0x000000C0 20 47 DB 80 8A CD D0 01 3C 40 96 B8 F0 D5 D0 01 G......<@...... 0x000000D0 28 FE C1 84 F0 D5 D0 01 00 50 03 00 00 00 00 00 (........P...... 0x000000E0 00 48 03 00 00 00 00 00 20 00 00 00 00 00 00 00 .H...... ....... 0x000000F0 0B 00 6E 00 6F 00 74 00 65 00 70 00 61 00 64 00 ..n.o.t.e.p.a.d. 0x00000100 2E 00 65 00 78 00 65 00 30 00 00 00 70 00 00 00 ..e.x.e.0...p... 0x00000110 00 00 00 00 00 00 09 00 58 00 00 00 18 00 01 00 ........X....... 0x00000120 FC 50 01 00 00 00 02 00 28 FE C1 84 F0 D5 D0 01 .P......(....... 0x00000130 20 47 DB 80 8A CD D0 01 63 33 61 B6 F0 D5 D0 01 G......c3a..... 0x00000140 28 FE C1 84 F0 D5 D0 01 00 50 03 00 00 00 00 00 (........P...... 0x00000150 00 48 03 00 00 00 00 00 20 00 00 00 00 00 00 00 .H...... ....... 0x00000160 0B 03 6E 00 6F 00 74 00 65 00 70 00 61 00 64 00 ..n.o.t.e.p.a.d. 0x00000170 2E 00 65 00 78 00 65 00 80 00 00 00 48 00 00 00 ..e.x.e.....H... 0x00000180 01 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 ................ 0x00000190 34 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 4.......@....... 0x000001A0 00 50 03 00 00 00 00 00 00 48 03 00 00 00 00 00 .P.......H...... 0x000001B0 00 48 03 00 00 00 00 00 31 35 18 9A 27 00 00 00 .H......15..'... 0x000001C0 D0 00 00 00 20 00 00 00 00 00 00 00 00 00 0C 00 .... ........... 0x000001D0 08 00 00 00 18 00 00 00 8D 00 00 00 94 00 00 00 ................ 0x000001E0 E0 00 00 00 B0 00 00 00 00 00 00 00 00 00 0D 00 ................ 0x000001F0 94 00 00 00 18 00 00 00 94 00 00 00 00 16 72 00 ..............r. 0x00000200 24 4B 45 52 4E 45 4C 2E 50 55 52 47 45 2E 45 53 $KERNEL.PURGE.ES 0x00000210 42 43 41 43 48 45 00 72 00 00 00 03 00 02 0C 42 BCACHE.r.......B 0x00000220 73 2C DB 07 D6 D0 01 00 C7 9B 0B C7 89 D0 01 02 s,.............. 0x00000230 00 00 00 54 00 27 01 0C 80 00 00 20 1C FE AD 81 ...T.'..... .... 0x00000240 46 39 9A 4D FE 67 59 E9 30 3C 30 C5 21 CF F3 83 F9.M.gY.0<0.!... 0x00000250 0E 71 77 E8 7E 64 02 1D C3 DA 49 31 1B 00 04 80 .qw.~d....I1.... 0x00000260 00 00 14 B4 F8 DF 0F CF 38 8F 82 08 41 92 26 4C ........8...A.&L 0x00000270 8B 81 D0 25 5F 31 77 12 03 80 F6 10 83 6B 95 CF ...%_1w......k.. 0x00000280 01 80 B6 D8 39 88 FC D0 01 00 00 00 00 00 00 00 ....9........... 0x00000290 00 01 00 00 68 00 00 00 00 09 18 00 00 00 0A 00 ....h........... 0x000002A0 38 00 00 00 30 00 00 00 24 00 54 00 58 00 46 00 8...0...$.T.X.F. 0x000002B0 5F 00 44 00 41 00 54 00 41 00 00 00 00 00 00 00 _.D.A.T.A....... 0x000002C0 05 00 00 00 00 00 05 00 01 00 00 00 01 00 00 00 ................ 0x000002D0 C1 10 00 00 00 00 00 00 03 72 0A 00 02 00 00 00 .........r...... 0x000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000002F0 02 00 00 00 4F 1A 00 00 FF FF FF FF 82 79 47 11 ....O........yG. 0x00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecord to get the Master File Table record for C:\Windows\notepad.exe as a byte array.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 5 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecord -MftPath C:\evidence\MFT</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecord to return all Master File Table records from the exported MFT at C:\evidence\MFT.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicFileRecordIndex</command:name> <maml:description> <maml:para>Gets the MFT Record Index for the specified file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicFileRecordIndex</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicFileRecordIndex cmdlet returns the Master File Table Record Index Number for the specified file. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicFileRecordIndex</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the file to return the Master File Table record index for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the file to return the Master File Table record index for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.UInt64</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileRecordIndex C:\Windows\Notepad.exe</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileRecordIndex to get the Master File Table Record Index for C:\Windows\Notepad.exe.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicFileSlack</command:name> <maml:description> <maml:para>Gets the specified volume's slack space.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicFileSlack</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicFileSlack cmdlet gets the specified volume's slack space as a byte array. "Slack space" is the difference between the true size of a file's contents and the allocated size of a file on disk. When NTFS stores data in a file, the data must be allocated in cluster-sized chunks (commonly 4096 bytes), which creates slack space. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicFileSlack</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index number of the file to return slack space for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicFileSlack</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the file to return slack space for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index number of the file to return slack space for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path of the file to return slack space for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Byte[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileSlack -VolumeName \\.\C: -Index 0</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileSlack to get the slack space from the file that is MFT record index 0 on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicFileSlack -Path C:\windows\notepad.exe</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicFileSlack to return the slack space for Notepad.exe.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicGuidPartitionTable</command:name> <maml:description> <maml:para>Gets the Guid Partition Table for the specified physical drive.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicGuidPartitionTable</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicGuidPartitionTable cmdlet gets the Guid Partition Table for the specified physical drive. By default, Get-ForensicGuidPartitionTable returns a GuidPartitionTable object. You can also use the AsBytes switch parameter to return the raw bytes of the Guid Partition Table. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicGuidPartitionTable</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Guid Partition Table as byte array instead of as GuidPartitionTable object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Guid Partition Table as byte array instead of as GuidPartitionTable object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.GuidPartitionTable</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicGuidPartitionTable -Path \\.\PHYSICALDRIVE1 Revision : 0.1 HeaderSize : 92 MyLBA : 1 AlternateLBA : 20971519 FirstUsableLBA : 34 LastUsableLBA : 20971486 DiskGuid : f913e110-0835-4cf1-96c7-380b5db4a42d PartitionEntryLBA : 2 NumberOfPartitionEntries : 128 SizeOfPartitionEntry : 128 PartitionTable : {Microsoft reserved partition, Basic data partition, Basic data partition}</dev:code> <dev:remarks> <maml:para>This is an example of Get-GuidPartitionTable being run against \\.\PHYSICALDRIVE1</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicGuidPartitionTable -Path \\.\PHYSICALDRIVE1 -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 45 46 49 20 50 41 52 54 00 00 01 00 5C 00 00 00 EFI PART....\... 0x00000010 F3 73 9F 97 00 00 00 00 01 00 00 00 00 00 00 00 .s.............. 0x00000020 FF FF 3F 01 00 00 00 00 22 00 00 00 00 00 00 00 ..?....."....... 0x00000030 DE FF 3F 01 00 00 00 00 10 E1 13 F9 35 08 F1 4C ..?.........5..L 0x00000040 96 C7 38 0B 5D B4 A4 2D 02 00 00 00 00 00 00 00 ..8.]..-........ 0x00000050 80 00 00 00 80 00 00 00 3B 04 A4 F8 00 00 00 00 ........;....... 0x00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicGuidPartitionTable and its AsBytes parameter to return the GPT as a byte array.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicMasterBootRecord</command:name> <maml:description> <maml:para>Gets the Master Boot Record for the specified physical drive.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicMasterBootRecord</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-MasterBootRecord cmdlet gets the Master Boot Record for the specified physical drive and analyzes the MBR's boot code for anomalies. By default, Get-ForensicMasterBootRecord returns a MasterBootRecord object that has detailed information about the drive's boot code and partition table. You can also use the AsBytes switch parameter to return the raw bytes of the Master Boot Record. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicMasterBootRecord</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master Boot Record as byte array instead of as MasterBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicMasterBootRecord</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master Boot Record as byte array instead of as MasterBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Master Boot Record as byte array instead of as MasterBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.MasterBootRecord</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <maml:description> <maml:para/> </maml:description> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-MasterBootRecord -Path \\.\PHYSICALDRIVE0 MBRSignature DiskSignature PartitionTable ------------ ------------- -------------- Windows 6.1+ 82D4BA7D {NTFS}</dev:code> <dev:remarks> <maml:para>This is an example of Get-MasterBootRecord being run against \\.\PHYSICALDRIVE0</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-MasterBootRecord -Path \\.\PHYSICALDRIVE0 -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3.....|......|.. 0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .......Ph....... 0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ....~..|........ 0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 .....V.U.F...F.. 0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 .A..U..]r...U.u. 0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ....t..F.f`.~..t 0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h. 0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h...B.V..... 0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ............|.V. 0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE .v..N..n...fas.. 0x000000A0 4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u..~.......... 0x000000B0 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2..V...]...>.}U 0x000000C0 AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 .un.v....u.....d 0x000000D0 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 ......`.|....d.u 0x000000E0 00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .......f#.u;f..T 0x000000F0 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2....r,fh... 0x00000100 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf 0x00000110 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f 0x00000120 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah.....Z2...|... 0x00000130 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 ..............2. 0x00000140 05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ......<.t....... 0x00000150 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 ......+..d..$... 0x00000160 24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $..Invalid parti 0x00000170 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error 0x00000180 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 loading operati 0x00000190 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin 0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst 0x000001B0 65 6D 00 00 00 63 7B 9A 82 D4 BA 7D 00 00 80 20 em...c{....}... 0x000001C0 21 00 07 FE FF FF 00 08 00 00 00 F0 7F 07 00 00 !............... 0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U.</dev:code> <dev:remarks> <maml:para>This command uses the AsBytes parameter of Get-MasterBootRecord to get the MBR as a byte array.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicMftSlack</command:name> <maml:description> <maml:para>Gets the Master File Table (MFT) slack space for the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicMftSlack</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicMftSlack cmdlet returns a byte array representing the slack space found in Master File Table (MFT) records. Each MFT File Record is 1024 bytes long. When a file record does not allocate all 1024 bytes, the remaining bytes are considered "slack." To compute slack space, compare the AllocatedSize and RealSize properties of a FileRecord object. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicMftSlack</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index of the MFT entry to return MFT slack space for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicMftSlack</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the file to return MFT slack space for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicMftSlack</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>MftPath</maml:name> <maml:description> <maml:para>Path to an exported Master File Table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Index</maml:name> <maml:description> <maml:para>The index of the MFT entry to return MFT slack space for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>The path to the file to return MFT slack space for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>MftPath</maml:name> <maml:description> <maml:para>Path to an exported Master File Table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Byte[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicMftSlack -VolumeName C:</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicMftSlack to get slack space from the $MFT file on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicMftSlack -VolumeName C: -Index 24212</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicMftSlack to get the slack space from the MFT record at index 24212 on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicMftSlack -Path C:\Windows\system32\cmd.exe</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicMftSlack to get the slack space on the Cmd.exe MFT record.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 4 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicMftSlack -MftPath C:\evidence\MFT</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicMftSlack to get the MFT slack space from an exported Master File Table.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicNetworkList</command:name> <maml:description> <maml:para>Gets a list of networks that the system has previously been connected to.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicNetworkList</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicNetworkList cmdlet parses the SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList key to derive a list of previously connected networks. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicNetworkList</maml:name> <command:parameter required="false" pipelineinput="false" globbing="false" position="named"> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicNetworkList</maml:name> <command:parameter required="true" pipelineinput="false" globbing="false" position="named"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.NetworkList</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicNetworkList</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicNetworkList to parse the SOFTWARE hive on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicNetworkList -HivePath C:\evidence\SOFTWARE</dev:code> <dev:remarks> <maml:para>This command uses Get-ForensicNetworkList on an exported SOFTWARE hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicPartitionTable</command:name> <maml:description> <maml:para>Gets a list of partition objects on the specified disk.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicPartitionTable</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicPartitionTable cmdlet gets one or more Partition objects depending on the specified DrivePath. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicPartitionTable</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="DrivePath"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specified the physical drive to investigate. (Ex. \\.\PHYSICALDRIVE0)</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.PartitionEntry[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>PowerForensics.GuidPartitionTableEntry[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicPartitionTable -DrivePath \\.\PHYSICALDRIVE0 Bootable SystemID StartSector EndSector -------- -------- ----------- --------- True NTFS 2048 125827072</dev:code> <dev:remarks> <maml:para>This command gets all MBR partitions on the \\.\PHYSICALDRIVE0 disk.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicPartitionTable -Path \\.\PHYSICALDRIVE1 PartitionTypeGUID : e3c9e316-0b5c-4db8-817d-f92df00215ae UniquePartitionGUID : ff1a8a47-08f8-43ab-b410-53697f0b2323 StartingLBA : 34 EndingLBA : 65569 Attributes : 0 PartitionName : Microsoft reserved partition PartitionTypeGUID : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 UniquePartitionGUID : 6d76ae42-b6c1-4fbe-8d42-20cd366026b4 StartingLBA : 67584 EndingLBA : 2164735 Attributes : 0 PartitionName : Basic data partition PartitionTypeGUID : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 UniquePartitionGUID : d6795c3a-8a4d-4fb4-91a0-488812cce027 StartingLBA : 2164736 EndingLBA : 4261887 Attributes : 0 PartitionName : Basic data partition</dev:code> <dev:remarks> <maml:para>This command gets all GPT partitions on the \\.\PHYSICALDRIVE1 disk.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicPrefetch</command:name> <maml:description> <maml:para>Gets the Prefetch objects from the specified volume or file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicPrefetch</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicPrefetch cmdlet parses the binary structure in the specified Prefetch file. If a file is not specified, Get-Prefetch parses all .pf files in the C:\Windows\Prefetch directory. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicPrefetch</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Fast</maml:name> <maml:description> <maml:para>Use the Windows API to list files within the C:\Windows\Prefetch directory. WARNING: Not forensically sound.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicPrefetch</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Fast</maml:name> <maml:description> <maml:para>Use the Windows API to list files within the C:\Windows\Prefetch directory. WARNING: Not forensically sound.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Fast</maml:name> <maml:description> <maml:para>Use the Windows API to list files within the C:\Windows\Prefetch directory. WARNING: Not forensically sound.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.Prefetch</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicPrefetch</dev:code> <dev:remarks> <maml:para>This command gets an array of all Prefetch files in the C:\Windows\Prefetch directory.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicPrefetch -Path C:\Windows\Prefetch\CMD.EXE-89305D47.pf Version : WINDOWS_8 Name : CMD.EXE Path : \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CMD.EXE PathHash : 89305D47 DependencyCount : 25 PrefetchAccessTime : {4/3/2015 4:29:25 AM, 4/3/2015 4:29:18 AM, 3/31/2015 12:33:17 PM, 3/31/2015 12:22:42 PM...} DeviceCount : 1 RunCount : 40</dev:code> <dev:remarks> <maml:para>This command parses the Prefetch file specified by the Path parameter.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicRegistryKey</command:name> <maml:description> <maml:para>Gets the keys of the specified registry hive.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicRegistryKey</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicRegistryKey cmdlet parses a registry hive and returns the subkeys of the specified key. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicRegistryKey</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>The registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Key</maml:name> <maml:description> <maml:para>The key to begin listing subkeys from.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicRegistryKey</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>The registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Recurse</maml:name> <maml:description> <maml:para>Recursively list all keys in the specified hive.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>The registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Key</maml:name> <maml:description> <maml:para>The key to begin listing subkeys from.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Recurse</maml:name> <maml:description> <maml:para>Recursively list all keys in the specified hive.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Registry.NamedKey</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicRegistryKey -HivePath C:\Windows\system32\config\SOFTWARE -Key Tenable HivePath : C:\Windows\system32\config\SOFTWARE WriteTime : 8/14/2015 4:18:52 PM NumberOfSubKeys : 0 NumberOfVolatileSubKeys : 0 NumberOfValues : 1 FullName : Tenable\Nessus Name : Nessus Allocated : True</dev:code> <dev:remarks> <maml:para>This command gets the subkeys of the HKLM:\SOFTWARE\Tenable key.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-RegistryKey -HivePath C:\Windows\system32\config\SAM -Recurse</dev:code> <dev:remarks> <maml:para>This gets all keys in the SAM hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicRegistryValue</command:name> <maml:description> <maml:para>Gets the values of the specified registry key.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicRegistryValue</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicRegistryValue cmdlet parses a registry hive and returns the values of a specified key. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicRegistryValue</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>The registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Key</maml:name> <maml:description> <maml:para>The key to list values from.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Value</maml:name> <maml:description> <maml:para>The specific value to return.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>The registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Key</maml:name> <maml:description> <maml:para>The key to list values from.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Value</maml:name> <maml:description> <maml:para>The specific value to return.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Registry.ValueKey</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicRegistryValue -HivePath C:\Windows\system32\config\SOFTWARE -Key Microsoft\Windows\CurrentVersion\Run</dev:code> <dev:remarks> <maml:para>This command gets the values of the Run key.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-RegistryValue -HivePath C:\Windows\system32\config\SYSTEM -Key ControlSet001\Serivces\Enum -Value NextParentID.72bb93.8 HivePath : C:\Windows\system32\config\SYSTEM Key : Enum DataLength : 4 DataType : REG_DWORD Name : NextParentID.72bb93.8 Allocated : True</dev:code> <dev:remarks> <maml:para>This command gets the NextParentID.72bb93.8 value of the HKLM:\SYSTEM\ControlSet001\Services\Enum key.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicRecentFileCache</command:name> <maml:description> <maml:para>Gets previously run commands from the RecentFileCache.bcf file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicRecentFileCache</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicRecentFileCache cmdlet parses the RecentFileCache.bcf file to derive applications that were recently used. If you don't specify a file path (-Path), the cmdlet parses the C:\Windows\AppCompat\Programs\RecentFileCache.bcf. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicRecentFileCache</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicRecentFileCache</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to RecentFileCache.bcf file to process.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to RecentFileCache.bcf file to process.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para> </maml:para> </maml:description> <dev:type> <maml:name>System.String</maml:name> <maml:uri> </maml:uri> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicRecentFileCache</dev:code> <dev:remarks> <maml:para>This example shows Get-ForensicRecentFileCache being run against the default RecentFileCache.bcf (C:\Windows\AppCompat\Programs\RecentFileCache.bcf)</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicRecentFileCache -Path C:\Windows\AppCompat\Programs\RecentFileCache.bcf</dev:code> <dev:remarks> <maml:para>This is an example of Get-ForensicRecentFileCache taking a RecentFileCache.bcf file path as an argument.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicScheduledJob</command:name> <maml:description> <maml:para>Gets the scheduled jobs from the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicScheduledJob</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicScheduledJob cmdlet parses the binary structure in the specified ScheduledJob file. If a file is not specified, Get-ForensicScheduledJob parses all .job files in the C:\Windows\Tasks directory. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicScheduledJob</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicScheduledJob</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.ScheduledJob</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicScheduledJob -Volume C:</dev:code> <dev:remarks> <maml:para>This example parses the scheduled jobs in the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicScheduledJob -Path C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job ProductVersion : Windows8_1 FileVersion : 1 Uuid : e841ef0f-7b64-45da-a8fb-1c3e05196ce1 ErrorRetryCount : 0 ErrorRetryInterval : 0 IdleDeadline : 60 IdleWait : 10 MaximumRuntime : 4294967294 ExitCode : 0 Status : SCHED_S_TASK_READY Flags : RUN_ONLY_IF_DOCKED, KILL_IF_GOING_ON_BATTERIES, DISABLED RunTime : 11/17/2015 8:11:00 PM RunningInstanceCount : 0 ApplicationName : C:\Program Files\Google\Update\GoogleUpdate.exe Parameters : ?/ua /installsource scheduler WorkingDirectory : Author : ?WIN-OL5AKAF1OUJ\Uproot Comment : GKeeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. StartTime : 10/21/2015 8:11:00 AM</dev:code> <dev:remarks> <maml:para>This command parses the scheduled jobs in the C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job file.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicShellLink</command:name> <maml:description> <maml:para>Gets infromation about Shell Link (.LNK) files on the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicShellLink</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicShellLink cmdlet parses the binary structure in the specified ShellLink (.lnk) file. If you do not specify a file, Get-ShellLink parses all .lnk files in the specified volume. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicShellLink</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicShellLink</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.ShellLink</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicShellLink</dev:code> <dev:remarks> <maml:para>This command parses all .lnk files on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ShellLink -Path C:\test\PowerForensics.dll-Help.xml.lnk Path : PowerForensics.dll-Help.xml.lnk CreationTime : 11/6/2015 8:01:39 PM AccessTime : 11/16/2015 2:45:45 AM WriteTime : 11/17/2015 10:18:59 PM FileSize : 202700 LocalBasePath : C:\test\PowerForensics.dll-Help.xml CommandLineArguments : CommonNetworkRelativeLink :</dev:code> <dev:remarks> <maml:para>This command, which runs Get-ForensicShellLink with a single file path, gets only the corresponding ShellLink object.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicRunMostRecentlyUsed</command:name> <maml:description> <maml:para>Gets the commands that were issued by the user to the run dialog.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicRunMostRecentlyUsed</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicRunMostRecentlyUsed cmdlet parses a user's NTUSER.DAT file to derive the commands that have been issued to the run dialog. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicRunMostRecentlyUsed</maml:name> <command:parameter required="true" pipelineinput="false" globbing="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para/> </maml:description> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicRunMostRecentlyUsed -HivePath C:\Users\Public\NTUSER.DAT</dev:code> <dev:remarks> <maml:para>This command gets the URLs typed into Internet Explorer from the C:\Users\Public\NTUSER.DAT hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicSid</command:name> <maml:description> <maml:para>Gets the system's Security Identifier (SID).</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicSid</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicSid cmdlet parses the SAM hive to derive the system's Security Identifier. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicSid</maml:name> <command:parameter required="false" pipelineinput="false" globbing="false" position="named"> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicSid</maml:name> <command:parameter required="true" pipelineinput="false" globbing="false" position="named"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" pipelineinput="false" globbing="false" position="named"> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" pipelineinput="false" globbing="false" position="named"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Security.Principal.SecurityIdentifier</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicSid | Format-List BinaryLength : 24 AccountDomainSid : S-1-5-21-390730339-1025693957-1587674390 Value : S-1-5-21-390730339-1025693957-1587674390</dev:code> <dev:remarks> <maml:para>This command parses the C:\Windows\system32\config\SAM hive and returns the results in a list.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicSid -HivePath C:\Windows\System32\config\SAM BinaryLength : 24 AccountDomainSid : S-1-5-21-390730339-1025693957-1587674390 Value : S-1-5-21-390730339-1025693957-1587674390</dev:code> <dev:remarks> <maml:para>This command uses the HivePath parameter of Get-ForensicSid to specify an exported SAM hive to parse.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicTimeline</command:name> <maml:description> <maml:para>Creates a forensic timeline.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicTimeline</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Invoke-ForensicTimeline cmdlet creates a forensic timeline for the selected volume or logical drive. It runs several PowerForensics cmdlets and returns all results as ForensicTimeline objects, instead of objects of different types. The result is a forensic timeline, that is, is a chronology of diagnostic events. The cmdlets that Invoke-ForensicTimeline runs include: -- Get-ForensicScheduledJob -- Get-ForensicShellLink -- Get-ForensicUsnJrnl -- Get-ForensicEventLog -- Get-ForensicRegistryKey The cmdlet returns data that includes MFT file record, registry keys, Amcache, event logs, and much more. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicTimeline</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the volume or logical partition that Invoke-ForensicTimeline analyzes. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the volume or logical partition that Invoke-ForensicTimeline analyzes. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <maml:description> <maml:para>You cannot pipe input to this cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para>Name MemberType Definition ---- ---------- ---------- ActivityType Property string ActivityType {get;} Date Property datetime Date {get;} Description Property string Description {get;} FileName Property string FileName {get;} Source Property string Source {get;} SourceType Property string SourceType {get;} User Property string User {get;}</maml:para> </maml:description> <dev:type> <maml:name>PowerForensics.Formats.ForensicTimeline</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicTimeline -VolumeName C</dev:code> <dev:remarks> <maml:para>This command creates a forensic timeline for the C: volume on the local system.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>$t = Invoke-ForensicTimeline -VolumeName D: PS C:\> $t[0] Date : 1/1/1999 12:00:00 AM ActivityType : MACB Source : SCHEDULEDJOB SourceType : User : Server01\User01 FileName : C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe Description : [PROGRAM EXECUTION] C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe executed at 1/1/1999 12:00:00 AM via Scheduled Job </dev:code> <dev:remarks> <maml:para>This example shows the properties of the ForensicTimeline object. Invoke-ForensicTimeline returns the results of the disparate cmdlets in the same object type. The first command command creates a forensic timeline for the D: volume on the local system and saves the results in the $t variable. The second command displays the properties of the first object in $t, which was produced by the Get-ForensicScheduledJob cmdlet.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicTimeline -VolumeName \\.\C: | Group-Object -Property Source | Format-Table Count, Name [ADMIN]: PS C:\ps-test> $r | Group-Object -Property Source | ft Count, Name Count Name ----- ---- 4 SCHEDULEDJOB 1916 ShellLink 1276123 MFT 293715 USNJRNL 9319 EVENTLOG 423900 REGISTRY </dev:code> <dev:remarks> <maml:para>This command runs Invoke-ForensicTimeline on the C: drive. Then, it groups the objects by the value of their Source property so you can see the cmdlets that were run to produce the data, and it formats the results into a table of Count and Name, so the values of these properties are not truncated. The output of this command varies based on the system and drive contents.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 4 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicTimeline | Sort-Object -Property Date</dev:code> <dev:remarks> <maml:para>The command returns the output of Invoke-ForensicTimeline in chronological order to produce a true timeline of the events.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicTimezone</command:name> <maml:description> <maml:para>Gets the system's timezone.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicTimezone</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicTimezone cmdlet parses the SYSTEM hive or a hive that you specify to derive the system's current timezone. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicTimezone</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>C:\Windows\system32\config\SYSTEM</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.Timezone</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicTimezone RegistryTimezone dotNetStandardTimezone dotNetDaylightTimezone IsDaylightSavingTime ---------------- ---------------------- ---------------------- -------------------- Eastern Standard Time Eastern Standard Time Eastern Daylight Time False</dev:code> <dev:remarks> <maml:para>This command gets the time zones from the system hive.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-Timezone -HivePath C:\evidence\SYSTEM RegistryTimezone dotNetStandardTimezone dotNetDaylightTimezone IsDaylightSavingTime ---------------- ---------------------- ---------------------- -------------------- Eastern Standard Time Eastern Standard Time Eastern Daylight Time False</dev:code> <dev:remarks> <maml:para>This command gets the time zones from an exported SYSTEM hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicTypedUrl</command:name> <maml:description> <maml:para>Gets the Universal Resource Locators (URL) that have been typed in the Internet Explorer browser.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicTypedUrl</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicTypedUrl cmdlet parses a user's NTUSER.DAT file to derive the Universal Resource Locators (URL) that have been typed into the Internet Explorer browser. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicTypedUrl</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicTypedUrl -HivePath C:\Users\Public\NTUSER.DAT</dev:code> <dev:remarks> <maml:para>This command gets the URLs typed into Internet Explorer from the C:\Users\Public\NTUSER.DAT hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicUnallocatedSpace</command:name> <maml:description> <maml:para>Gets the unallocated space on the specified partition/volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicUnallocatedSpace</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicUnallocatedSpace cmdlet parses the $Bitmap file to find clusters that are marked as unallocated (not in use by the file system). Then, the cmdlet returns the unallocated clusters as a byte array. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicUnallocatedSpace</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> <dev:type> <maml:name>UInt64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Byte[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicUnallocatedSpace -VolumeName \\.\Z:</dev:code> <dev:remarks> <maml:para>This command gets a byte array of unallocated clusters in the \\.\Z: volume.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicUserAssist</command:name> <maml:description> <maml:para>Gets the UserAssist entries from the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicUserAssist</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicUserAssist cmdlet parses the NTUSER.DAT registry hive to derive applications that were recently used by a particular user. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicUserAssist</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases="Path"> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Artifacts.UserAssist</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicUserAssist -HivePath C:\Users\Public\NTUSER.DAT</dev:code> <dev:remarks> <maml:para>This command gets applications that the Public user used from the C:\Users\Public\NTUSER.DAT hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicUsnJrnl</command:name> <maml:description> <maml:para>Gets the UsnJrnl entries from the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicUsnJrnl</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicUsnJrnl cmdlet parses the $UsnJrnl file's $J data stream to return UsnJrnl entries. If you do not specify a Usn (Update Sequence Number), it returns all entries in the $UsnJrnl. The $UsnJrnl file maintains a record of all file system operations that have occurred. Because the file is circular, entries are overwritten. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicUsnJrnl</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Usn</maml:name> <maml:description> <maml:para>The Update Sequence Number of the record to return.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicUsnJrnl</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Usn</maml:name> <maml:description> <maml:para>The Update Sequence Number of the record to return.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Usn</maml:name> <maml:description> <maml:para>The Update Sequence Number of the record to return.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> <dev:type> <maml:name>UInt64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.UsnJrnl</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>$usn = Get-ForensicUsnJrnl</dev:code> <dev:remarks> <maml:para>This command gets the file system operations on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>$r = Get-ForensicFileRecord C:\temp\helloworld.txt PS C:\> $r.Attribute[0].UpdateSequenceNumber 713538320 PS C:\> Get-ForensicUsnJrnl -Usn $r.Attribute[0].UpdateSequenceNumber VolumePath : \\.\C: Version : 2.0 RecordNumber : 132245 FileSequenceNumber : 52 ParentFileRecordNumber : 191621 ParentFileSequenceNumber : 59 Usn : 713538320 TimeStamp : 11/17/2015 10:02:56 PM Reason : DATA_EXTEND, FILE_CREATE, CLOSE SourceInfo : 0 SecurityId : 0 FileAttributes : ARCHIVE FileName : helloworld.txt</dev:code> <dev:remarks> <maml:para>This example uses Get-ForensicFileRecord and Get-UsnJrnl to get the UsnJrnl entries in the helloworld.txt file. The first command gets the file record entries in the helloworld.txt files. The second command gets the USN of the first attribute in the Ntfs.FileRecord object that Get-ForensicFileRecord returns. The third command uses ForensicUsnJrnl to get the UsnJrnl record for the USN. shows Get-UsnJrnl being used to get a specific UsnJrnl entry. A file's most recent entry number can be found in its FileRecord's $STANDARD_INFORMATION attribute.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-UsnJrnl -Path C:\evidence\UsnJrnl</dev:code> <dev:remarks> <maml:para>This command get the UsnJrnl record of an exported UsnJrnl file.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicUsnJrnlInformation</command:name> <maml:description> <maml:para>Gets metadata about the specified volume's $UsnJrnl.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicUsnJrnlInformation</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicUsnJrnlInformation cmdlet parses the $UsnJrnl file's $MAX data stream and returns metadata about the UsnJrnl configuration. By default, this cmdlet parses the $UsnJrnl file on the C:\ drive. To specify a drive, use the VolumeName parameter. To specify an exported $UsnJrnl file, use the Path parameter. You can also use the AsBytes parameter to get the metadata in byte format. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicUsnJrnlInformation</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns the $UsnJrnl $Max data stream as byte array instead of as a UsnJrnlDetail object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicUsnJrnlInformation</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns the $UsnJrnl $Max data stream as byte array instead of as a UsnJrnlDetail object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns the $UsnJrnl $Max data stream as byte array instead of as a UsnJrnlDetail object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.UsnJrnlDetail</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicUsnJrnlInformation MaxSize AllocationDelta UsnId ------- --------------- ----- 33554432 8388608 130547872109887937</dev:code> <dev:remarks> <maml:para>This command gets metadata about the $UsnJrnl on the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicUsnJrnlInformation -Path C:\evidence\UsnJrnl MaxSize AllocationDelta UsnId ------- --------------- ----- 33554432 8388608 130547872109887937</dev:code> <dev:remarks> <maml:para>This command gets metadata about the $UsnJrnl on an exported UsnJrnl file.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-UsnJrnlInformation -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................ 0x00000010 C1 01 4B 17 99 CC CF 01 00 00 00 00 00 00 00 00 ..K.............</dev:code> <dev:remarks> <maml:para>This command gets the gets metadata about the $Max data stream as a byte array.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicVolumeBootRecord</command:name> <maml:description> <maml:para>Gets the Volume Boot Record from the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicVolumeBootRecord</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicVolumeBootRecord cmdlet reads the first 512 bytes (first sector) of the Logical Volume, also known as the Volume Boot Record, and parses its data structure to return a VolumeBootRecord object. By default, this cmdlet parses the $Boot file on the C:\ drive. To specify the target drive, use the VolumeName parameter. To specify an exported $Boot file, use the Path parameter. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicVolumeBootRecord</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Volume Boot Record as byte array instead of as VolumeBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicVolumeBootRecord</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Volume Boot Record as byte array instead of as VolumeBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AsBytes</maml:name> <maml:description> <maml:para>Returns Volume Boot Record as byte array instead of as VolumeBootRecord object.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.VolumeBootRecord</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> <command:returnValue> <maml:description> <maml:para/> </maml:description> <dev:type> <maml:name>System.Byte</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicVolumeBootRecord-VolumeName C Signature : NTFS BytesPerSector : 512 SectorsPerCluster : 8 ReservedSectors : 0 MediaDescriptor : 248 SectorsPerTrack : 63 NumberOfHeads : 255 HiddenSectors : 2048 TotalSectors : 125825023 LCN_MFT : 786432 LCN_MFTMirr : 2 ClustersPerFileRecord : 246 ClustersPerIndexBlock : 1 VolumeSN : E3133CD4233CD4CA Code : {0, 0, 0, 0...}</dev:code> <dev:remarks> <maml:para>This command gets the VolumeBootRecord object for the C drive.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicVolumeBootRecord -VolumeName C: -AsBytes | Format-ForensicHex Offset _00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F Ascii ------ ------------------------------------------------ ----- 0x00000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS ..... 0x00000010 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 00 00 ........?....... 0x00000020 00 00 00 00 80 00 80 00 FF EF 7F 07 00 00 00 00 ................ 0x00000030 00 00 0C 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ 0x00000040 F6 00 00 00 01 00 00 00 E3 13 3C D4 23 3C D4 CA ..........<.#<.. 0x00000050 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07 .....3.....|.h.. 0x00000060 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E ..hf......f.>..N 0x00000070 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB TFSu..A..U..r... 0x00000080 55 AA 75 06 F7 C1 01 00 75 03 E9 DD 00 1E 83 EC U.u.....u....... 0x00000090 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13 .h...H.......... 0x000000A0 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 .....X.r.;...u.. 0x000000B0 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8 ........Z3... +. 0x000000C0 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 f............... 0x000000D0 4B 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D K.+.w......f#.u- 0x000000E0 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 f..TCPAu$....r.. 0x000000F0 68 07 BB 16 68 52 11 16 68 09 00 66 53 66 53 66 h...hR..h..fSfSf 0x00000100 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A 33 C0 BF U...h..fa....3.. 0x00000110 0A 13 B9 F6 0C FC F3 AA E9 FE 01 90 90 66 60 1E .............f`. 0x00000120 06 66 A1 11 00 66 03 06 1C 00 1E 66 68 00 00 00 .f...f.....fh... 0x00000130 00 66 50 06 53 68 01 00 68 10 00 B4 42 8A 16 0E .fP.Sh..h...B... 0x00000140 00 16 1F 8B F4 CD 13 66 59 5B 5A 66 59 66 59 1F .......fY[ZfYfY. 0x00000150 0F 82 16 00 66 FF 06 11 00 03 16 0F 00 8E C2 FF ....f........... 0x00000160 0E 16 00 75 BC 07 1F 66 61 C3 A1 F6 01 E8 09 00 ...u...fa....... 0x00000170 A1 FA 01 E8 03 00 F4 EB FD 8B F0 AC 3C 00 74 09 ............<.t. 0x00000180 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 41 20 64 69 ............A di 0x00000190 73 6B 20 72 65 61 64 20 65 72 72 6F 72 20 6F 63 sk read error oc 0x000001A0 63 75 72 72 65 64 00 0D 0A 42 4F 4F 54 4D 47 52 curred...BOOTMGR 0x000001B0 20 69 73 20 63 6F 6D 70 72 65 73 73 65 64 00 0D is compressed.. 0x000001C0 0A 50 72 65 73 73 20 43 74 72 6C 2B 41 6C 74 2B .Press Ctrl+Alt+ 0x000001D0 44 65 6C 20 74 6F 20 72 65 73 74 61 72 74 0D 0A Del to restart.. 0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x000001F0 00 00 00 00 00 00 8A 01 A7 01 BF 01 00 00 55 AA ..............U.</dev:code> <dev:remarks> <maml:para>This commands get the bytes that represent the Volume Boot Record as a byte array.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicVolumeInformation</command:name> <maml:description> <maml:para>Gets information about the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicVolumeInformation</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicVolumeInformation cmdlet parses the $Volume file's $VOLUME_INFORMATION attribute to return the metadata about the specified volume. By default, the cmdlet parses the $Volume file on the C:\ drive. To specify an alternate target drive, use the -VolumeName parameter. To specify an exported $Volume file, use the -Path parameter. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicVolumeInformation</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicVolumeInformation</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.VolumeInformation</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicVolumeInformation Name : VOLUME_INFORMATION Version : 3.1 Flags : 0</dev:code> <dev:remarks> <maml:para>This command gets the metadata about the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicVolumeInformation -Path 'C:\evidence\$Volume'</dev:code> <dev:remarks> <maml:para>This command gets metadata about an exported volume file, C:\evidence\$Volume.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicVolumeName</command:name> <maml:description> <maml:para>Gets the name of the specified volume.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicVolumeName</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicVolumeName cmdlet parses the $Volume file's $VOLUME_NAME attribute to return the name of the specified volume. By default, the cmdlet parses the $Volume file on the C:\ drive. To specify an alternate target drive, use the VolumeName parameter. To specify an exported $Volume file, use the Path parameter. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicVolumeName</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-ForensicVolumeName</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>VolumeName</maml:name> <maml:description> <maml:para>Specifies the name of the volume or logical partition. Enter the volume name in one of the following formats: \\.\C:, C:, or C.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>\\.\C:</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="FullName"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to file to be parsed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>PowerForensics.Ntfs.VolumeName</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-VolumeName -VolumeName \\.\C: VolumeNameString ---------------- testdrive</dev:code> <dev:remarks> <maml:para>This command gets the name of the C:\ logical volume.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-VolumeName -Path 'C:\evidence\$Volume' VolumeNameString ---------------- testdrive</dev:code> <dev:remarks> <maml:para>This command gets the name of the volume in C:\evidence\$Volume file, and exported $Volume file.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Invoke-ForensicBinShred</command:name> <maml:description> <maml:para>Parses binary files to extract the data within.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Invoke</command:verb> <command:noun>ForensicBinShred</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Invoke-BinShred cmdlet uses a structured template to parse binary files. Unlike most commands in the PowerForensics module, this command does not require administrator privileges. The cmdlet returns the file contents as an ordered dictionary (like a hash table, but in guaranteed order). There is one key in the dictionary for each item in the template header. Despite the name, the Invoke-ForensicBinShred cmdlet parses the file; it does not "shred," delete, or zero-out the file. For detailed instructions about writing a template for a particular binary file or file type, see about_BinShred_Templates. </maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Invoke-ForensicBinShred</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies that path to the binary file to be parsed. This parameter is required. Enter the file name or fully-qualified path. If you omit the path, the default location is the local directory.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""> <maml:name>TemplatePath</maml:name> <maml:description> <maml:para>Specifies the path to a binShred template. This parameter is required. Enter the name of a file with a .bst file name extension. If the template file is not in the local directory, include the path.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies that path to the binary file to be parsed. This parameter is required. Enter the file name or fully-qualified path. If you omit the path, the default location is the local directory.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1" aliases=""> <maml:name>TemplatePath</maml:name> <maml:description> <maml:para>Specifies the path to a binShred template. This parameter is required. Enter the name of a file with a .bst file name extension. If the template file is not in the local directory, include the path.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <maml:description> <maml:para>You cannot pipe input to this cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>None </maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para>Returns an object that represents the data structures in the binary file. </maml:para> </maml:description> <dev:type> <maml:name>System.Collections.Specialized.OrderedDictionary</maml:name> <maml:uri/> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicBinShred -Path .\Words.bin -TemplatePath .\WordParser.bst Name Value ---- ----- magic LH wordCount 2 words {System.Collections.Specialized.OrderedDictionary,.... </dev:code> <dev:remarks> <maml:para>This command uses the Invoke-ForensicBinShred cmdlet and the WordParser.bst file to parse the Words.bin file. The command returns an ordered dictionary with keys that match the elements in the header of the template file. The template also determines the .NET types of the values, such as ASCII (magic), Int32 (wordCount), and words (nested dictionaries of UTF8 characters). </maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code># In Words.bin 4c48 0200 0000 0500 0000 4865 6c6c 6f05 0000 0057 6f72 6c64 # In WordParser.bst header : magic (2 bytes as ASCII) wordCount (4 bytes as UINT32) words (wordCount items); words : wordLength (4 bytes as UINT32) word (wordLength bytes as UTF8); PS C:\> $w = Invoke-ForensicBinShred -Path .\Words.bin -TemplatePath .\WordParser.bst PS C:\> $w Name Value ---- ----- magic LH wordCount 2 words {System.Collections.Specialized.OrderedDictionary,... PS C:\> $w.words Name Value ---- ----- wordLength 5 word Hello wordLength 5 word World PS C:\> $w.words.word Hello World</dev:code> <dev:remarks> <maml:para>This example shows how Invoke-ForensicBinShred uses a structured template to parse a binary file. The first item shows the content of the Words.bin file. The second item shows the content of the WordParser.bst template file. The first command uses the Invoke-ForensicBinShred cmdlet and the template to parse the Words.bin file. The command saves the file in the $w variable. The second command shows the contents of the $w variable. The cmdlet returned an ordered dictionary with keys that match the items in the header section of the template. Based on the template, which has a words section, the value of the words key is a series of nested dictionaries. The third command shows the value of the words key in the dictionary in $w, which is an array of nested dictionaries. The keys in the nested dictionary match the items in the words section of the template. The fourth command gets only the value of the word key in the words nested dictionary. </maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 3 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicBinShred -Path .\Words.bin' -TemplatePath bad-wordParser.bst Invoke-ForensicBinShred : Index and count must refer to a location within the buffer. Parameter name: bytes At line:1 char:1 + Invoke-ForensicBinShred @params + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-ForensicBinShred], ArgumentOutOfRangeException + FullyQualifiedErrorId : System.ArgumentOutOfRangeException,PowerForensics.Cmdlets.BinShredCommand</dev:code> <dev:remarks> <maml:para>This command fails because the size or number of items specified by the template does not match the number of bytes in the file. The template might account for too many or too few bytes. If you get an error like this one, verify that the items in the template and their lengths match the content of the input file.</maml:para> </dev:remarks> </command:example> </command:examples> <maml:relatedLinks> <!--Links--> <maml:navigationLink> <maml:linkText>about_binShred_Templates</maml:linkText> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-ForensicWindowsSearchHistory</command:name> <maml:description> <maml:para>Gets the search terms that have been searched for using the Windows Search feature.</maml:para> </maml:description> <maml:copyright> <maml:para> </maml:para> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ForensicWindowsSearchHistory</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Get-ForensicWindowsSearchHistory cmdlet parses a user's NTUSER.DAT file to derive the terms that have been searched for using the Windows Search feature. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-ForensicWindowsSearchHistory</maml:name> <command:parameter required="true" pipelineinput="false" globbing="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="0" aliases=""> <maml:name>HivePath</maml:name> <maml:description> <maml:para>Registry hive to parse. This should be a NTUSER.DAT registry hive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <maml:description> <maml:para> </maml:para> </maml:description> <dev:type> <maml:name>System.String</maml:name> <maml:uri> </maml:uri> </dev:type> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Get-ForensicWindowsSearchHistory -HivePath C:\Users\Public\NTUSER.DAT</dev:code> <dev:remarks> <maml:para>This command gets the URLs typed into Internet Explorer from the C:\Users\Public\NTUSER.DAT hive.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Invoke-ForensicDD</command:name> <maml:description> <maml:para>Gets a byte-for-byte copy of a file, disk, or partition.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Invoke</command:verb> <command:noun>ForensicDD</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>The Invoke-DD cmdlet generates and returns an exact copy of a file, disk, or partition. Use the Offset (starting point), BlockSize (bytes/operation), and Count (# blocks) parameters to determine the segment of the InFile that is copied. This cmdlet designed to work just like the popular dd Unix utility. For information about the dd utility, see "dd (Unix)" (https://en.wikipedia.org/wiki/Dd_%28Unix%29) in Wikipedia. Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Invoke-ForensicDD</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>InFile</maml:name> <maml:description> <maml:para>Specifies the file, disk or partition to be copied, for example \\.\PHYSICALDRIVE0, \\.\HARDDISKVOLUME1, or \\.\C:. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>OutFile</maml:name> <maml:description> <maml:para>Writes the output to the specified file or directory. This parameter is optional. But default, Invoke-ForensicDD writes the output to standard ouptut ("stdout"), which is the Windows PowerShell console, but you can use this parameter or redirect the output.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>Stdout</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>Offset</maml:name> <maml:description> <maml:para>Specifies the starting point in the file for the copy operation as a byte offset. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt64</command:parameterValue> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>BlockSize</maml:name> <maml:description> <maml:para>Specifies the number of bytes to read/write in each operation. The default value is 512 (1 disc sector). When reading from a device, such as \\.\PHYSICALDRIVE0 or \\.\C:, the value of BlockSize must be divisible by 512. </maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt32</command:parameterValue> <dev:defaultValue>512</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>Count</maml:name> <maml:description> <maml:para>Specifies the number of blocks that Invoke-ForensicDD reads from the file, disk, or partition. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt32</command:parameterValue> <dev:defaultValue/> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>InFile</maml:name> <maml:description> <maml:para>Specifies the file, disk or partition to be copied, for example \\.\PHYSICALDRIVE0, \\.\HARDDISKVOLUME1, or \\.\C:. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>OutFile</maml:name> <maml:description> <maml:para>Writes the output to the specified file or directory. This parameter is optional. But default, Invoke-ForensicDD writes the output to standard ouptut ("stdout"), which is the Windows PowerShell console, but you can use this parameter or redirect the output.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>Stdout</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>Offset</maml:name> <maml:description> <maml:para>Specifies the starting point in the file for the copy operation as a byte offset. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt64</command:parameterValue> <dev:type> <maml:name>UInt64</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>BlockSize</maml:name> <maml:description> <maml:para>Specifies the number of bytes to read/write in each operation. The default value is 512 (1 disc sector). When reading from a device, such as \\.\PHYSICALDRIVE0 or \\.\C:, the value of BlockSize must be divisible by 512. </maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">UInt32</command:parameterValue> <dev:type> <maml:name>UInt32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>512</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named" aliases=""> <maml:name>Count</maml:name> <maml:description> <maml:para>Specifies the number of blocks that Invoke-ForensicDD reads from the file, disk, or partition. This parameter is required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">UInt32</command:parameterValue> <dev:type> <maml:name>UInt32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <maml:description> <maml:para>You cannot pipe input to this cmdlet.</maml:para> </maml:description> <dev:type> <maml:name>None</maml:name> <maml:uri/> </dev:type> </command:inputType> </command:inputTypes> <command:returnValues> <!--Outputs--> <command:returnValue> <dev:type> <maml:name>System.Byte[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:returnValue> </command:returnValues> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicDD Invoke-DD -InFile \\.\PHYSICALDRIVE0 -Offset 0 -Count 1</dev:code> <dev:remarks> <maml:para>This command copies the first sector of the Master Boot Record of the \\.\PHYSICALDRIVE0 disk to the console. The command uses the default values for OutFile (stdout; the Windows PowerShell console) and BlockSize (512; 1 sector).</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>[ADMIN]: PS C:\></maml:para> </maml:introduction> <dev:code>Invoke-ForensicDD Invoke-DD -InFile \\.\HARDDISKVOLUME1 -OutFile C:\Users\Public\Desktop\MBR -Offset 512 -BlockSize 1024 -Count 3</dev:code> <dev:remarks> <maml:para>This command copies three 1024-size blocks of the specified volume to a file in the C:\Users\Public\Desktop\MBR directory. It begins copying at the second sector (after the 512-byte offset). It uses the Offset parameter to specify the starting point of the copy operation, the BlockSize parameter to specify the bytes per copy operation, and the Count parameter to specify the number of copy operations. It also uses the OutFile parameter to specify a location for the output. The default is writing to the Windows PowerShell console (stdout).</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <!--Generated by: SAPIEN PowerShell HelpWriter 2015 v1.0.16--> <!--Edited with: SAPIEN PowerShell HelpWriter 2015 v1.0.16--> <!--Edited with: SAPIEN PowerShell HelpWriter 2015 v1.0.16--> </helpItems> |