invoke-ir / powerforensics Goto Github PK

PowerForensics currently does not support extended partitions in the Master Boot Record.

.NET standard is to identify a DateTime property as "Utc" if that is the case.

When parsing NonResident attribute DataRuns, PowerForensics assumes all DataRunOffsetByteCount will be less than or equal to 4 bytes

There is no help for the Get-VolumeName cmdlet

There is no help for the Get-FileSlack cmdlet

There is no help for the Format-Hex cmdlet

PowerForensics does not currently support Extended Partitions in the MBR

There is no help for the Get-NetworkList cmdlet

There is no help for the Get-RegistryValue cmdlet

Get-ForensicPrefetch is not compatible with the Prefetch format on Windows 10

There is no help for the Get-MftSlack cmdlet

There is no help for the Get-ScheduledJobRaw cmdlet

Please change:
PowerForensics must be executed from an Administrator PowerShell

To:
This cmdlet requires administrator privileges. Start Windows PowerShell with the "Run as administrator" option and try the command again.

I would make the change myself, but the repo doesn't have source files, like a .resx file or a .psd1 file with a user message hash table.

Also, the error message says that 'PowerForensics (the module) must be run in an elevated session. I don't think that's true. Invoke-ForensicBinShred without admin privileges.

If that changes, and every cmdlet requires admin privileges, we should say so in the cmdlet help topics, and change the error message to:

The cmdlets in the PowerForensics module require administrator privileges. Start Windows PowerShell with the "Run as administrator" option and try the command again.

There is no help for the Get-UsnJrnlInformation cmdlet

PowerForensics needs to have a Shell Bag parser built in.

There is no help for the Invoke-ForensicTimeline cmdlet

When a cmdlet runs in the background, such as background job, the command prompt returns immediately upon invocation and the user can work at the command prompt while the command processes. Then, they typically use a different command to get the results.

The help topic for Invoke-ForensicTimeline describes it as running in the background, but it runs like all other cmdlets. The command prompt is suppressed while the cmdlet runs.

I can change the help (I'm working on the file now) or we can change the cmdlet to run in background job. For info about PowerShell background jobs, see Get-Help about_Jobs and Get-Help about_Job_Details.

Make the Namespace Property an enum value

There is no help for the Get-Bitmap cmdlet

The Invoke-ForensicBinShred cmdlet parses a binary file and retrieves its contents. But, when I looked up "shred" and "shredding," I found articles, tools, and algorithms for erasing or zeroing out files and drives, not parsing.

Can you please link me to the definition of "shred" that you're using in this cmdlet? Thanks.

There is no help for the Get-ChildItemRaw cmdlet

In Windows and Windows PowerShell, drives and volumes are typically specified as C: or C:. The cmdlets in PowerForensics require what I think is a Unix-style specification, e.g. .\C:

To make this easy for PowerShell users, it would be great to let them input volumes in Windows style and then convert the input to Unix style. (Or change the cmdlets to process Windows-style naming).

If this isn't acceptable, at least the error message should show the required format.

Change:
Invoke-ForensicTimeline : Provided Volume Name is not acceptable.

To:
The VolumeName value is not in the correct format. Enter a Unix-format name, such as .\C:, instead of C: or C:.

[ADMIN]: PS C:> $r = Invoke-ForensicTimeline -VolumeName .\C:

[ADMIN]: PS C:> $r = Invoke-ForensicTimeline -VolumeName C:
Invoke-ForensicTimeline : Provided Volume Name is not acceptable.
At line:1 char:6

• $r = Invoke-ForensicTimeline -VolumeName C:

•  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Invoke-ForensicTimeline], Exception
  • FullyQualifiedErrorId : System.Exception,PowerForensics.Cmdlets.InvokeForensicTimelineCommand

There is no help for the Get-Sid cmdlet

There is no help for the Get-VolumeInformation cmdlet

Add parser for Windows Shortcut files

There is no help for the Get-UserAssist cmdlet

There is no help for the Get-Amcache cmdlet

Not all cmdlets are compatible with $Attribute_List attributes

I would need Invoke-ForensicBinShred to support something like this:

Invoke-ForensicBinShred -Bytes $BinaryBytes

Thanks!

There is no help for the Get-AlternateDataStream cmdlet

I'll admit, I'm probably missing something, but when I download PowerForensics and import the DLL, Get-IStat is missing (as is Get-ICat). Are these cmdlets included with the PowerForensics master.zip download? Thanks!

Much of the module help file is outdated.

There is no help for the Get-UsnJrnl cmdlet

This might be a silly question, because I have no domain knowledge, but why is the Offset parameter of Invoke-ForensicDD mandatory? Shouldn't it be optional with a default value of 0?

VolumeName should have a default value of .\C: for Get-ContentRaw

There is no help for the Format-ForensicTimeline cmdlet

There is no help for the Get-RegistryKey cmdlet

There is no help for the Get-UnallocatedSpace cmdlet