Daily Blog #371: Sunday Funday 4/10/16 Winner!
Hello Reader,
Another challenge has been answered by you the readership. This week our anonymous winner claims a $200 Amazon Gift card for showing what the impact of installing and running PowerForensics is. You too can join the ranks of Sunday Funday winners and I think I'm going to do something special for all past and future winners so everyone can know of your deeds.
Another challenge has been answered by you the readership. This week our anonymous winner claims a $200 Amazon Gift card for showing what the impact of installing and running PowerForensics is. You too can join the ranks of Sunday Funday winners and I think I'm going to do something special for all past and future winners so everyone can know of your deeds.
The Challenge:
The term Forensically Sound has a lot of vagueness to it. Let's get rid of the ambiguity regarding what changes when you run the PowerForensics powershell script to extract the mft from a system. Explain what changes and what doesn't from executing the powershell script to extracting the file.
The Winning Answer:
Anonymous Submission
This answer
is based on the assumption that you are not connecting to the target system via
F-Response or a similar method and that you are running the PowerForensics
PowerShell script directly on the target system. This also assumes that
the PowerForensics module is already installed on the system.
When the
powershell script is executed, program execution artifacts associated with
PowerShell will be created. These artifacts include the creation of a
prefetch file (if application prefetching is enabled), a record in the
application compatibility cache (the exact location/structure of which depends
on the version of Windows installed), a record in the MUICache, and possibly a
UserAssist entry (if the script was double-clicked in Explorer). In
addition, event log records may be created in the Security event log if process
tracking is enabled.
Installing
the PowerForensics powershell module will result in different artifacts
depending on the version of Powershell installed on the target system. If
the Windows Management Framework version 5 is not installed on the target
system, the PowerForensics module can be installed by copying the module files
to a directory in the PSModulePath. Using this method will result in the
creation of new files in a directory on the target system, which brings with it
the file creation artifacts found in NTFS (e.g. $MFT record creation, USNJrnl
record creations, parent directory $I30 updates, changes to the $BITMAP file,
etc.). If the Windows Management Framework version 5 is
installed, the Install-Module cmdlet can be used to install. This may
require the installation of additional cmdlets in order to download/install the
PowerForensics module, which would result in additional files and directories
being created in a directory in the PSModulePath.
Since the
script uses raw disk reads to determine the location of the $MFT on disk, it
should not impact the $STANDARD_INFORMATION or $FILE_NAME timestamps of the
files being copied.
Daily Blog #371: Sunday Funday 4/10/16 Winner!
Reviewed by David Cowen
on
April 11, 2016
Rating:
No comments: