44CON London 2015: NTFS Analysis with PowerForensics
-
Upload
jared-atkinson -
Category
Technology
-
view
1.522 -
download
25
Transcript of 44CON London 2015: NTFS Analysis with PowerForensics
![Page 1: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/1.jpg)
NTFS Analysis with PowerShellJared Atkinson
Veris Group’s Adaptive Threat Division
![Page 2: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/2.jpg)
@jaredcatkinson
○Jared Atkinson□Hunt Capability Lead for Adaptive Threat
Division○Leads the service line responsible for proactive
detection and response to advanced threats in Fortune 100 commercial environments
□Adjunct Lecturer at Utica College□Developer of PowerForensics, Uproot IDS,
and WMIEventing□Researcher of forensic artifact file formats
○Makes really cool posters :-)□History
○U.S. Air Force Hunt (2011 - 2015)○GCFA, GREM, and more
![Page 3: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/3.jpg)
Intro to PowerShell“Microsoft’s [Digital Forensic] platform”
-obscuresec with some liberties…
![Page 4: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/4.jpg)
What is PowerShell○Task-based command-line shell and
scripting language ○Built on the .NET Framework
□Cmdlets for performing common system administration tasks
□Consistent design□Powerful object manipulation capabilities□Extensible interface
○Independent software vendors and enterprise developers can build custom tools and utilities to administer their software.
□Full access to the Windows API
![Page 5: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/5.jpg)
Response
PowerForensicsOld Dog, New Tricks
Detection Investigation
![Page 6: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/6.jpg)
Requirements○Centralized forensic toolset○Forensically sound
□Parse raw disk structures□Don’t alter NTFS timestamps
○Can execute on a live host○Operationally fast
□Collect forensic data in seconds or minutes○Modular capabilities
□Cmdlets perform discrete tasks and can be tied together for more complicated tasks
○Capable of working remotely□At the proof of concept stage
![Page 7: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/7.jpg)
Forensically Sound?
“A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent
applicable.” - Richard Bejtlich and Harlan Carvey
![Page 8: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/8.jpg)
Forensics Toolbox
![Page 9: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/9.jpg)
![Page 10: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/10.jpg)
![Page 11: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/11.jpg)
![Page 12: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/12.jpg)
![Page 13: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/13.jpg)
Fast?!?
![Page 14: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/14.jpg)
Understanding ModulesExtensibility for the win!
![Page 15: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/15.jpg)
Download PowerForensics
http://download.powerforensics.invoke-ir.comOR
https://www.github.com/Invoke-IR/PowerForensics
![Page 16: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/16.jpg)
Unblock-File
○PowerShell v3 gives us Unblock-FileUnblock-File -Path "$env:UserProfile\Downloads\PowerForensics-
master.zip"
○Can also “Unblock” via the file’s properties dialog
□Best to Unblock the zip before extraction
○Unblocking will remove the Zone.Identifier Alternate Data Stream
![Page 17: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/17.jpg)
PSModulePath○PSModulePath
○Naming Convention
More details: https://msdn.microsoft.com/en-us/library/dd878350(v=vs.85).aspx
![Page 18: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/18.jpg)
Import-Module
Import-Module -Name PowerForensics Get-Command -Module PowerForensics
![Page 19: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/19.jpg)
PowerForensics Install Demo
![Page 20: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/20.jpg)
Invoke-DD○One Cmdlet to rule them all
□Underlying API is basis for all of PowerForensics○Allows raw access to Physical Drive or Logical Volume□Uses Platform Invoke to call CreateFile Windows API
□Opens a file handle to \\.\PHYSICALDRIVEX or Logical Volume
□Reads from file handle via FileStream object□Warning: Must read in Sector increments (BlockSize must be a multiple of 512)
$InFile = ‘\\.\PHYSICALDRIVE0’Invoke-DD –InFile $InFile –Offset 0 –BlockSize 512 –
Count 1
![Page 21: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/21.jpg)
Invoke-DD Demo
![Page 22: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/22.jpg)
Boot SectorsWhere the action begins…
![Page 23: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/23.jpg)
Master Boot Record
○1st Sector of the Disk□Also referred to as the Boot Sector
○Boot Code□Locate Partition Table□Find 1st “Bootable” partition□Determine partition Logical Cluster Number□Pass execution to first sector of partition (Volume Boot Record)
○Partition Table□Space for 4 partitions by default□“Extended Partitions” allow for additional partitions above 4
![Page 24: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/24.jpg)
![Page 25: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/25.jpg)
Get-MBR○Cmdlet to parse the MBR and return MasterBootRecord
objects○Use WMI to list available Devices:
$Devices = Get-WmiObject –Class Win32_DiskDrive
○Run Get-MBR against one of the returned drives:Get-MBR –Path $Devices[0].DeviceID
![Page 26: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/26.jpg)
Boot Kits○Attackers can alter MBR Boot Code
□ Code runs in Ring 0 (before the OS Loads)○Set-MasterBootRecord
□Proof of concept written by Matt Graeber (@mattifestation)
□Allows a user with administrator privilege to overwrite the Master Boot Record with arbitrary code
○Get-MBR takes known Boot Code into account and detects any changes (tampering)
![Page 27: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/27.jpg)
MBR Bootkit Demo
![Page 28: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/28.jpg)
MBR Boot Code
(Pre Infection)
![Page 29: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/29.jpg)
MBR Boot Code (Post
Infection)
![Page 30: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/30.jpg)
MBR Boot Code (Post
Infection)
![Page 31: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/31.jpg)
GUID Partition Table
○Replacement Boot Sector format for MBR□UEFI compliant devices must support GPT□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility
○Alternative to Legacy Master Boot Record□Maintains a Protective MBR, in the disk’s 1st Sector, for compatibility
□Allows for increased partition sizes (2 TiB -> 8 ZiB)
□Supports many primary partitions (MBR supports 4)
□Creates Primary and Backup partition table for redundancy
![Page 32: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/32.jpg)
![Page 33: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/33.jpg)
Get-GPT○Cmdlet to parse the GPT and return GuidPartitionTable
objects○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive○Run Get-GPT against one of the returned drives:
Get-GPT –Path \\.\PHYSICALDRIVE1○Warning: Get-GPT will error if device is MBR formatted○If Get-MBR is run against a GPT formatted device,
then Get-MBR will return the information about the Protective MBR
![Page 34: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/34.jpg)
Get-BootSector○Format agnostic Cmdlet to parse Boot Sectors (MBR or
GPT)○Use WMI to list available Devices:
Get-WmiObject –Class Win32_DiskDrive○Run Get-BootSector against one of the returned
drives:Get-BootSector –Path \\.\PHYSICALDRIVE0 Get-Bootsector –Path \\.\PHYSICALDRIVE1
![Page 35: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/35.jpg)
○Format agnostic Cmdlet to return MBR/GPT PartitionTable objects
○MBR formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE2
○GPT formatted deviceGet-PartitionTable –Path \\.\PHYSICALDRIVE1
Get-PartitionTable
![Page 36: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/36.jpg)
NTFS System Files
![Page 37: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/37.jpg)
NTFS System Files
# Filename # Filename0 $MFT 8 $BadClus1 $MFTMirr 9 $Secure2 $LogFile 10 $UpCase3 $Volume 11 $Extend4 $AttrDef $ObjId5 Root Directory (.) $Quota6 $Bitmap $Reparse7 $Boot $UsnJrnl
![Page 38: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/38.jpg)
Volume Boot Record
$Boot (7)○1st Sector of partition
□Location of partition is pointed to by the Partition table (MBR of GPT)
○Loads the BOOTMGR Loader○Defines partition attributes
□ Bytes per Sector□Sectors per Cluster□Total Sectors□Location of MFT□Size of MFT Record□Size of INDX Structure
![Page 39: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/39.jpg)
![Page 40: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/40.jpg)
Get-VolumeBootRecord
○Cmdlet to parse the VBR and return VolumeBootRecord objects○Execute Cmdlet with “VolumeName” parameter$VBR = Get-VolumeBootRecord –VolumeName \\.\C:
○Often useful to pair with low level cmdlets like Invoke-DD
![Page 41: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/41.jpg)
Master File Table
$MFT (0)○NTFS file table
□First file present on NTFS partition□Contains at least one entry for every file, on an NTFS Volume, including itself
□As files are added the MFT grows□When files are deleted, the MFT marks the file’s record as unallocated so a new file can take its place
○Each record contains file metadata□MACB Timestamps□File name details (name, path, hard links)□Location of Data
![Page 42: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/42.jpg)
![Page 43: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/43.jpg)
Get-FileRecord○Cmdlet to parse the MFT and return FileRecord
objects○Three different ways to use:
1) Get all MFT Records$mft = Get-FileRecord -VolumeName \\.\C:
2) Get a FileRecord by pathGet-FileRecord –Path C:\Windows\
notepad.exe 3) Get a FileRecord by Record Number/Index value
Get-FileRecord -VolumeName \\.\C: -Index 0
![Page 44: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/44.jpg)
Temporal Funneling
○Large amounts of data may not be relevant to our case□Temporal Funneling/Pivoting allows analysts to reduce noise & focus on artifacts associated with the investigation
$mft = Get-FileRecord$start = New-Object DateTime(2015,08,21,13,05,00) $end = New-Object DateTime(2015,08,21,14,05,00) $mft | ? {($_.BornTime -gt $start) –and ($_.BornTime –lt $end)}
![Page 45: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/45.jpg)
Temporal Funneling Demo
![Page 46: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/46.jpg)
MFT Attributes
Type
Name Type
Name
0x10 $STANDARD_INFORMATION
0x90 $INDEX_ROOT
0x20 $ATTRIBUTE_LIST 0xA0 $INDEX_ALLOCATION0x30 $FILE_NAME 0xB0 $BITMAP0x40 $OBJECT_ID 0xC0 $REPARSE_POINT0x50 $SECURITY_DESCRIPTOR 0xD0 $EA_INFORMATION0x60 $VOLUME_NAME 0xE0 $EA0x70 $VOLUME_INFORMATION 0xF0 $PROPERTY_SET0x80 $DATA 0x100 $LOGGED_UTILITY_STREAM
![Page 47: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/47.jpg)
![Page 48: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/48.jpg)
![Page 49: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/49.jpg)
![Page 50: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/50.jpg)
![Page 51: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/51.jpg)
Recover Deleted File Demo
![Page 52: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/52.jpg)
Access SAM Hive Demo
![Page 53: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/53.jpg)
Get-ContentRaw
○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream
□Outputs the contents of the file to Standard Out○Different Encoding Options
□ASCII □Unicode □Bytes
Get-ContentRaw –Path C:\Windows\system32\config\SAM
![Page 54: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/54.jpg)
Copy-FileRaw○Cmdlet to parse $DATA Attributes to determine the location of a file’s contents on disk□Finds the file’s MFT Record and the main $DATA Stream
□Creates a copy of the specified file without accessing the file itself$Path = C:\Windows\system32\config\SAM$Destination = C:\temp\SAMCopy-FileRaw –Path $Path –Destination
$Destination
![Page 55: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/55.jpg)
Alternate Data Streams
○NTFS allows files to store data in multiple “$DATA” attributes□These additional $DATA attributes are commonly referred to as Alternate Data Streams (ADS)
○Attackers have found ways to hide and even execute malware from ADS□Windows legitimately uses ADS to identify files downloaded from the internet (Zone.Identifier)
○PowerShell added ADS compatibility to many cmdlets, but did not add the ability to recursively list all files with ADS
![Page 56: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/56.jpg)
Get-AlternateDataStrea
m○Cmdlet to easily find and list Alternate Data Streams on NTFS
○Use cases:1) List all Alternate Data Streams $ads = Get-AlternateDataStream2) List files downloaded via Internet Explorer
$ads | Where-Object {$_.StreamName –eq ‘Zone.Identifier’}
3) List Alternate Data Streams for a specific fileGet-AlternateDataStream –Path ‘C:\$Extend\
$UsnJrnl’
4) List Alternate Data Streams not created by the Internet Explorer
$asd | Where-Object {$_.StreamName –ne ‘Zone.Identifier’}
![Page 57: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/57.jpg)
Alternate Data Streams Demo
![Page 58: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/58.jpg)
![Page 59: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/59.jpg)
![Page 60: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/60.jpg)
Get-ChildItemRaw○Cmdlet to parse $INDEX_ROOT and
$INDEX_ALLOCATION attributes to output a directory’s contents□Lists system and hidden files□Output object has a RecordNumber parameter
Get-ChildItemRawGet-ChildItemRaw –Path C:\Windows\
![Page 61: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/61.jpg)
Get-ChildItemRaw Demo
![Page 62: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/62.jpg)
Get-FileRecordIndex
○Cmdlet to parse $INDEX_ROOT and $INDEX_ALLOCATION attributes and returns a file’s MFT Record Number□Starts with the root directory’s MFT entry (index 5) and works through the tree until the requested files index can be found
□Can be teamed with Get-FileRecord$rnumber = Get-FileRecordIndex –Path C:\Windows\
notepad.exeGet-FileRecord –VolumeName \\.\C: -Index $rnumber
![Page 63: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/63.jpg)
Get-FileRecordIndex Demo
![Page 64: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/64.jpg)
$UsnJrnl○NTFS Change Journaling
□Keeps track of changes to files or directories in a volume
□Changes are documented with the filename, timestamp of change, and description of change
□Can be leveraged by backup utilities (ex Volume Shadow Service)
○Two named data streams:□$MAX: UsnJrnl metadata (first entry number, maximum size of journal, etc.)
□$J: Contains the actual Journal entries
![Page 65: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/65.jpg)
$UsnJrnl Reasons
BASIC_INFO_CHANGE INDEXABLE_CHANGECLOSE NAMED_DATA_EXTEND
COMPRESSION_CHANGE NAMED_DATA_OVERWRITEDATA_EXTEND NAMED_DATA_TRUNCATION
DATA_OVERWRITE OBJECT_ID_CHANGEDATA_TRUNCATION RENAME_NEW_NAME
EA_CHANGE RENAME_OLD_NAMEENCRYPTION_CHANGE REPARSE_POINT_CHANGE
FILE_CREATE SECURITY_CHANGEFILE_DELETE STREAM_CHANGE
HARD_LINK_CHANGE
![Page 66: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/66.jpg)
![Page 67: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/67.jpg)
Get-UsnJrnlInformation
○Cmdlet to parse the UsnJrnl’s $MAX Data Stream
○Returns Metadata about the UsnJrnlGet-UsnJrnlInformation –VolumeName \\.\C:
![Page 68: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/68.jpg)
![Page 69: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/69.jpg)
Get-UsnJrnl○Cmdlet to parse the UsnJrnl’s $J Data Stream○Use Cases:
□Get all UsnJrnl Entries$usn = Get-UsnJrnl –VolumeName \\.\C:
□Get the most recent UsnJrnl entry for C:\temp\helloworld.txt$r = Get-FileRecord –Path C:\temp\
helloworld.txt$usn = $r.Attribute[0].UpdateSequenceNumberGet-UsnJrnl –VolumeName \\.\C: -USN $usn
![Page 70: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/70.jpg)
File Creation & Modification Demo
![Page 71: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/71.jpg)
UsnJrnl ADS Demo
![Page 72: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/72.jpg)
Artifacts
![Page 73: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/73.jpg)
Prefetch
![Page 74: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/74.jpg)
![Page 75: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/75.jpg)
Get-Prefetch○Cmdlet to parse the Windows Prefetch binary file format
○Use Cases:□Get all Prefetch objects from files in the “\Windows\Prefetch” directory
Get-Prefetch –VolumeName \\.\C:□Get the Prefetch object from the file specified by the Path
parameterGet-Prefetch –Path C:\Windows\Prefetch\CMD.EXE-
01C678D0.pf□Another option is looking for .pf file operations in the UsnJrnl
Get-UsnJrnl | ? {$_.FileName –like “*.pf”}
![Page 76: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/76.jpg)
Prefetch Demo
![Page 77: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/77.jpg)
Get-ScheduledJobRaw
○Cmdlet to parse the Scheduled (At) Job binary file format○Use Cases:
□Get all ScheduledJob objects from files in the “\Windows\Tasks” directory
Get-ScheduledJobRaw –VolumeName \\.\C:□Get the ScheduledJob object from the file specified by the Path
parameterGet-ScheduledJobRaw -Path C:\Windows\Tasks\At1.job
![Page 78: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/78.jpg)
Moving Forward○More artifacts!!
□Registry support□ESE database support
○Organic Remoting (more robust)○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT□Linux: Ext2, Ext3, Ext4□Mac: HFS+
○Online documentation (Open API)○WMI Provider with Events○Community Involvement!!!
![Page 79: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/79.jpg)
@jaredcatkinsonhttps://github.com/Invoke-IR/PowerForensics
https://github.com/Invoke-IR/PowerForensics_Source
Any questions?
![Page 80: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/80.jpg)
Extra Slides!!!
![Page 81: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/81.jpg)
$Volume (3)○File containing metadata about its partition/volume○Made up of two special attributes $VOLUME_NAME and $VOLUME_INFORMATION□Two cmdlets: Get-VolumeName and Get-VolumeInformation
Get-VolumeName –VolumeName \\.\C:
Get-VolumeInformation –VolumeName \\.\C:
![Page 82: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/82.jpg)
![Page 83: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/83.jpg)
![Page 84: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/84.jpg)
$AttrDef (4)○System file that contains details about all file attributes available to the volumeGet-AttrDef –VolumeName \\.\C:
![Page 85: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/85.jpg)
![Page 86: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/86.jpg)
$Bitmap (6)$BadClus (8)
○NTFS has two files to tell the File System what Clusters can be used
○File contents are bit fields where each bit represents a specific cluster□$Bitmap: Each bit represents whether the associated cluster is allocated by the file system
□$BadClus: Each bit represents whether the associated cluster is corrupted or not
![Page 87: 44CON London 2015: NTFS Analysis with PowerForensics](https://reader036.fdocuments.us/reader036/viewer/2022062310/58a2fafd1a28ab5d1c8b677f/html5/thumbnails/87.jpg)
Get-BitmapGet-BadClus
○Cmdlet to parse bit fields contained within their respective files ($BITMAP and $BADCLUS)
○Use cases:□Parse the $BITMAP file to determine if the specified cluster is allocated
Get-Bitmap –VolumeName \\.\C: -Cluster 1000
□Parse the $BADCLUS file to report on any clusters that have been marked as corrupt by the file system
Get-BadClus –VolumeName \\.\C: