PowerForensicsv2.ps1xml
<?xml version="1.0" encoding="utf-8"?>
<Configuration> <ViewDefinitions> <!-- Master Boot Record --> <!-- PowerForensics.MasterBootRecord --> <View> <Name>PowerForensics.MasterBootRecord</Name> <ViewSelectedBy> <TypeName>PowerForensics.MasterBootRecord</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>14</Width> </TableColumnHeader> <TableColumnHeader> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Width>14</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>MBRSignature</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DiskSignature</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>PartitionTable</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- PowerForensics.PartitionEntry --> <View> <Name>PowerForensics.PartitionEntry</Name> <ViewSelectedBy> <TypeName>PowerForensics.PartitionEntry</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Width>8</Width> </TableColumnHeader> <TableColumnHeader> <Width>11</Width> </TableColumnHeader> <TableColumnHeader> <Width>9</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>SystemID</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Bootable</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>StartSector</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>EndSector</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- End Master Boot Record --> <!-- NTFS System Files --> <!-- PowerForensics.NTFS.AttrDef --> <View> <Name>PowerForensics.NTFS.AttrDef</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.AttrDef</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Width>6</Width> </TableColumnHeader> <TableColumnHeader> <Width>7</Width> </TableColumnHeader> <TableColumnHeader> <Width>20</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Name</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Type</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>MinSize</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>MaxSize</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- PowerForensics.NTFS.VolumeBootRecord --> <View> <Name>PowerForensics.NTFS.VolumeBootRecord</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.VolumeBootRecord</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>VolumeSerialNumber</PropertyName> </ListItem> <ListItem> <PropertyName>TotalSectors</PropertyName> </ListItem> <ListItem> <PropertyName>HiddenSectors</PropertyName> </ListItem> <ListItem> <PropertyName>ReservedSectors</PropertyName> </ListItem> <ListItem> <PropertyName>BytesPerSector</PropertyName> </ListItem> <ListItem> <PropertyName>BytesPerCluster</PropertyName> </ListItem> <ListItem> <PropertyName>BytesPerFileRecord</PropertyName> </ListItem> <ListItem> <PropertyName>BytesPerIndexBlock</PropertyName> </ListItem> <ListItem> <PropertyName>SectorsPerTrack</PropertyName> </ListItem> <ListItem> <PropertyName>NumberOfHeads</PropertyName> </ListItem> <ListItem> <PropertyName>MFTStartIndex</PropertyName> </ListItem> <ListItem> <PropertyName>MFTMirrStartIndex</PropertyName> </ListItem> <ListItem> <PropertyName>CodeSection</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- End NTFS System Files --> <!-- Master File Table --> <!-- PowerForensics.NTFS.FileRecord --> <View> <Name>PowerForensics.NTFS.FileRecord</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.FileRecord</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>FullName</PropertyName> </ListItem> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>SequenceNumber</PropertyName> </ListItem> <ListItem> <PropertyName>RecordNumber</PropertyName> </ListItem> <ListItem> <PropertyName>ParentSequenceNumber</PropertyName> </ListItem> <ListItem> <PropertyName>ParentRecordNumber</PropertyName> </ListItem> <ListItem> <PropertyName>Directory</PropertyName> </ListItem> <ListItem> <PropertyName>Deleted</PropertyName> </ListItem> <ListItem> <PropertyName>ModifiedTime</PropertyName> </ListItem> <ListItem> <PropertyName>AccessedTime</PropertyName> </ListItem> <ListItem> <PropertyName>ChangedTime</PropertyName> </ListItem> <ListItem> <PropertyName>BornTime</PropertyName> </ListItem> <ListItem> <PropertyName>FNModifiedTime</PropertyName> </ListItem> <ListItem> <PropertyName>FNAccessedTime</PropertyName> </ListItem> <ListItem> <PropertyName>FNChangedTime</PropertyName> </ListItem> <ListItem> <PropertyName>FNBornTime</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.IndexEntry --> <View> <Name>PowerForensics.NTFS.IndexEntry</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.IndexEntry</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>12</Width> </TableColumnHeader> <TableColumnHeader> <Width>50</Width> </TableColumnHeader> <TableColumnHeader> <Width>50</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>RecordNumber</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Filename</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>FullName</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- MFT Attributes --> <!-- PowerForensics.NTFS.Attr --> <View> <Name>PowerForensics.NTFS.Attr</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.Attr</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Width>11</Width> </TableColumnHeader> <TableColumnHeader> <Width>10</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Name</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>AttributeId</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>NameString</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- PowerForensics.NTFS.NonResident --> <View> <Name>PowerForensics.NTFS.NonResident</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.NonResident</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>AttributeId</PropertyName> </ListItem> <ListItem> <PropertyName>NameString</PropertyName> </ListItem> <ListItem> <PropertyName>AllocatedSize</PropertyName> </ListItem> <ListItem> <PropertyName>InitializedSize</PropertyName> </ListItem> <ListItem> <PropertyName>RealSize</PropertyName> </ListItem> <ListItem> <PropertyName>DataRun</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.StandardInformation --> <View> <Name>PowerForensics.NTFS.StandardInformation</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.StandardInformation</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>AttributeId</PropertyName> </ListItem> <ListItem> <PropertyName>NameString</PropertyName> </ListItem> <ListItem> <PropertyName>ModifiedTime</PropertyName> </ListItem> <ListItem> <PropertyName>AccessedTime</PropertyName> </ListItem> <ListItem> <PropertyName>ChangedTime</PropertyName> </ListItem> <ListItem> <PropertyName>BornTime</PropertyName> </ListItem> <ListItem> <PropertyName>Permissions</PropertyName> </ListItem> <ListItem> <PropertyName>UpdateSequenceNumber</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.FileName --> <View> <Name>PowerForensics.NTFS.FileName</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.FileName</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>AttributeId</PropertyName> </ListItem> <ListItem> <PropertyName>NameString</PropertyName> </ListItem> <ListItem> <PropertyName>FileName</PropertyName> </ListItem> <ListItem> <PropertyName>Namespace</PropertyName> </ListItem> <ListItem> <PropertyName>ModifiedTime</PropertyName> </ListItem> <ListItem> <PropertyName>AccessedTime</PropertyName> </ListItem> <ListItem> <PropertyName>ChangedTime</PropertyName> </ListItem> <ListItem> <PropertyName>BornTime</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.Data --> <View> <Name>PowerForensics.NTFS.Data</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.Data</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>NameString</PropertyName> </ListItem> <ListItem> <PropertyName>AttributeId</PropertyName> </ListItem> <ListItem> <PropertyName>RawData</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.ObjectId --> <View> <Name>PowerForensics.NTFS.ObjectId</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.ObjectId</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>NameString</PropertyName> </ListItem> <ListItem> <PropertyName>AttributeId</PropertyName> </ListItem> <ListItem> <PropertyName>ObjectIdGuid</PropertyName> </ListItem> <ListItem> <PropertyName>BirthVolumeId</PropertyName> </ListItem> <ListItem> <PropertyName>BirthObjectId</PropertyName> </ListItem> <ListItem> <PropertyName>BirthDomainId</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.VolumeInformation --> <View> <Name>PowerForensics.NTFS.VolumeInformation</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.VolumeInformation</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>Version</PropertyName> </ListItem> <ListItem> <PropertyName>Flags</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.NTFS.VolumeName --> <View> <Name>PowerForensics.NTFS.VolumeName</Name> <ViewSelectedBy> <TypeName>PowerForensics.NTFS.VolumeName</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>20</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>VolumeNameString</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- End MFT Attributes --> <!-- End Master File Table --> <!-- Artifacts --> <!-- PowerForensics.Artifacts.Prefetch --> <View> <Name>PowerForensics.Artifacts.Prefetch</Name> <ViewSelectedBy> <TypeName>PowerForensics.Artifacts.Prefetch</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Name</PropertyName> </ListItem> <ListItem> <PropertyName>Path</PropertyName> </ListItem> <ListItem> <PropertyName>PathHash</PropertyName> </ListItem> <ListItem> <PropertyName>DependencyCount</PropertyName> </ListItem> <ListItem> <PropertyName>PrefetchAccessTime</PropertyName> </ListItem> <ListItem> <PropertyName>RunCount</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.Artifacts.ShellLink --> <View> <Name>PowerForensics.Artifacts.ShellLink</Name> <ViewSelectedBy> <TypeName>PowerForensics.Artifacts.ShellLink</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>Path</PropertyName> </ListItem> <ListItem> <PropertyName>CreationTime</PropertyName> </ListItem> <ListItem> <PropertyName>AccessTime</PropertyName> </ListItem> <ListItem> <PropertyName>WriteTime</PropertyName> </ListItem> <ListItem> <PropertyName>FileSize</PropertyName> </ListItem> <ListItem> <PropertyName>LocalBasePath</PropertyName> </ListItem> <ListItem> <PropertyName>CommandLineArguments</PropertyName> </ListItem> <ListItem> <PropertyName>CommonNetworkRelativeLink</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- End Artifacts --> <!-- Formats --> <!-- PowerForensics.Formats.Mactime --> <View> <Name>PowerForensics.Formats.Mactime</Name> <ViewSelectedBy> <TypeName>PowerForensics.Formats.Mactime</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>DateTime</PropertyName> </ListItem> <ListItem> <PropertyName>Size</PropertyName> </ListItem> <ListItem> <PropertyName>ActivityType</PropertyName> </ListItem> <ListItem> <PropertyName>UserId</PropertyName> </ListItem> <ListItem> <PropertyName>GroupId</PropertyName> </ListItem> <ListItem> <PropertyName>Index</PropertyName> </ListItem> <ListItem> <PropertyName>FileName</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.Formats.HexDump --> <View> <Name>PowerForensics.Formats.HexDump</Name> <ViewSelectedBy> <TypeName>PowerForensics.Formats.HexDump</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Width>49</Width> </TableColumnHeader> <TableColumnHeader> <Width>16</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Offset</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>_00_01_02_03_04_05_06_07_08_09_0A_0B_0C_0D_0E_0F</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Ascii</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <!-- End Formats --> <!-- Ext3 Objects --> <!-- PowerForensics.ext3.Superblock --> <View> <Name>PowerForensics.ext3.Superblock</Name> <ViewSelectedBy> <TypeName>PowerForensics.ext3.Superblock</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>VolumeUUID</PropertyName> </ListItem> <ListItem> <PropertyName>LastMountedDirectory</PropertyName> </ListItem> <ListItem> <PropertyName>MountTime</PropertyName> </ListItem> <ListItem> <PropertyName>WriteTime</PropertyName> </ListItem> <ListItem> <PropertyName>FirstDataBlock</PropertyName> </ListItem> <ListItem> <PropertyName>TotalBlockCount</PropertyName> </ListItem> <ListItem> <PropertyName>FreeBlockCount</PropertyName> </ListItem> <ListItem> <PropertyName>BlockSize</PropertyName> </ListItem> <ListItem> <PropertyName>BlocksPerGroup</PropertyName> </ListItem> <ListItem> <PropertyName>TotalInodeCount</PropertyName> </ListItem> <ListItem> <PropertyName>FreeInodeCount</PropertyName> </ListItem> <ListItem> <PropertyName>InodeSize</PropertyName> </ListItem> <ListItem> <PropertyName>InodesPerGroup</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- PowerForensics.ext3.Inode --> <View> <Name>PowerForensics.ext3.Inode</Name> <ViewSelectedBy> <TypeName>PowerForensics.ext3.Inode</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>InodeNumber</PropertyName> </ListItem> <ListItem> <PropertyName>Mode</PropertyName> </ListItem> <ListItem> <PropertyName>Size</PropertyName> </ListItem> <ListItem> <PropertyName>UserId</PropertyName> </ListItem> <ListItem> <PropertyName>GroupId</PropertyName> </ListItem> <ListItem> <PropertyName>ModifiedTime</PropertyName> </ListItem> <ListItem> <PropertyName>AccessTime</PropertyName> </ListItem> <ListItem> <PropertyName>ChangedTime</PropertyName> </ListItem> <ListItem> <PropertyName>BornTime</PropertyName> </ListItem> <ListItem> <PropertyName>DeletedTime</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <!-- End Ext3 Objects --> </ViewDefinitions> </Configuration> |