The collection of system artifacts will depend on both the environment and the scenario at hand. PowerShell enables access to a plethora of Windows artifacts that can serve useful during an incident response or merely as an approach for a system administrator to understand more about his/her environment. It is not possible to list all significant data points, nor is it feasible to know every scenario. Nevertheless, the concepts detailed in the following section should serve as examples for digital investigators to build upon.
Information obtained from the analysis must be saved on the USB drive and not on the target system. Once the drive has been inserted, we can formulate a new command that redirects the output of a command to the evidence drive.
Once in the PowerShell, you can invoke the transcription service that will then log all of your operations. You invoke the transcription service as follows. (Note this assumes that you have inserted a removable drive D: that will store your evidence.)
set-location D:\
start-transcript d:\evidence.log -append -noclobber
At this point you can execute PowerShell commands. These commands and their corresponding results will be written to the evidence.log file.
Installed Programs
There are a number a ways to gather a list of installed programs on a given system. From the perspective of PowerShell, two useful cmdlets come in play: GetWMIObject and Get-CimInstance. Both cmdlets can use the win32_product WMI class which represents products as they are installed by Windows Installer.
PS C:\Users\JOSEPH> Get-CimInstance -ClassName Win32_Product
Name Caption Vendor Version IdentifyingNumber
---- ------- ------ ------- -----------------
Accent RAR Pa... Accent RAR Password Re... Passcovery Co. Ltd. 20.9.48.3902 {6DF5C4C0-80C4-4F7D-9...
Python 3.6.3 ... Python 3.6.3 Tcl/Tk Su... Python Software Founda... 3.6.3150.0 {8FE3FFD1-2F7E-4EBB-A...
Python 3.6.3 ... Python 3.6.3 Documenta... Python Software Founda... 3.6.3150.0 {404A8C42-6B82-4B32-A...
IPTInstaller IPTInstaller HTC 4.0.9 {08208143-777D-4A06-B...
Accent ZIP Pa... Accent ZIP Password Re... Passcovery Co. Ltd. 20.9.48.3899 {0FD97384-03C7-44B4-A...
Python 3.6.3 ... Python 3.6.3 Executabl... Python Software Founda... 3.6.3150.0 {D3ABC2C4-85AF-4AFD-9...
Python 3.6.3 ... Python 3.6.3 Test Suit... Python Software Founda... 3.6.3150.0 {2C6B5217-ACF4-4082-B...
Python 3.6.3 ... Python 3.6.3 Utility S... Python Software Founda... 3.6.3150.0 {E3F016B8-A524-4F97-9...
Python 3.6.3 ... Python 3.6.3 pip Boots... Python Software Founda... 3.6.3150.0 {48EC8399-294B-40F5-8...
Passware Sear... Passware Search Index ... Passware 4.3.6321 {896A43C9-2695-4926-A...
GoTo Opener GoTo Opener LogMeIn, Inc. 1.0.539 {E69269DB-A77B-4BC1-8...
DB Browser fo... DB Browser for SQLite DB Browser for SQLite ... 3.11.2 {ABCC928D-E47F-4867-9...
The Select-Object cmdlet can be used for a more refined output. The following example shows how to select a desired list of objects associated with each installed program:
PS C:\Users\JOSEPH> Get-CimInstance -ClassName Win32_Product | Select-Object Name, Version, Vendor, InstallDate, InstallSource, PackageName, LocalPackage Name : Accent RAR Password Recovery Version : 20.9.48.3902 Vendor : Passcovery Co. Ltd. InstallDate : 20201107 InstallSource : D:\hsoftware\New folder\ PackageName : AccentRPR_20.09_x64.msi LocalPackage : C:\Windows\Installer\b5847.msi Name : Python 3.6.3 Tcl/Tk Support (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{8FE3FFD1-2F7E-4EBB-A4B7-627E279DA70E}v3.6.3150.0\ PackageName : tcltk.msi LocalPackage : C:\Windows\Installer\2fd86.msi Name : Python 3.6.3 Documentation (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{404A8C42-6B82-4B32-AC7F-0583644A04F2}v3.6.3150.0\ PackageName : doc.msi LocalPackage : C:\Windows\Installer\2fd7c.msi Name : IPTInstaller Version : 4.0.9 Vendor : HTC InstallDate : 20201124 InstallSource : C:\Program Files (x86)\HTC\HTC Driver\ PackageName : IPTInstaller.msi LocalPackage : C:\Windows\Installer\5fb47.msi Name : Accent ZIP Password Recovery Version : 20.9.48.3899 Vendor : Passcovery Co. Ltd. InstallDate : 20201107 InstallSource : D:\hsoftware\New folder\ PackageName : AccentZPR_20.09_x64.msi LocalPackage : C:\Windows\Installer\b584d.msi Name : Python 3.6.3 Executables (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{D3ABC2C4-85AF-4AFD-94D4-F2B84F49BFEA}v3.6.3150.0\ PackageName : exe.msi LocalPackage : C:\Windows\Installer\2fd6d.msi Name : Python 3.6.3 Test Suite (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{2C6B5217-ACF4-4082-B19C-3463C9340E41}v3.6.3150.0\ PackageName : test.msi LocalPackage : C:\Windows\Installer\2fd77.msi Name : Python 3.6.3 Utility Scripts (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{E3F016B8-A524-4F97-9095-944C31A971E0}v3.6.3150.0\ PackageName : tools.msi LocalPackage : C:\Windows\Installer\2fd81.msi Name : Python 3.6.3 pip Bootstrap (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{48EC8399-294B-40F5-8274-E2AFBF0CFCBE}v3.6.3150.0\ PackageName : pip.msi LocalPackage : C:\Windows\Installer\2fd90.msi Name : Passware Search Index Examiner 4.3 Demo Version : 4.3.6321 Vendor : Passware InstallDate : 20201108 InstallSource : D:\hsoftware\New folder\ PackageName : SearchIndexExaminer-demo.msi LocalPackage : C:\Windows\Installer\94abc2.msi Name : GoTo Opener Version : 1.0.539 Vendor : LogMeIn, Inc. InstallDate : 20201224 InstallSource : C:\Users\JOSEPH\AppData\Local\Temp\A694B59E-AB47-4B24-8682-CB8AE1CA7DE6\ PackageName : GoToOpener.msi LocalPackage : C:\Windows\Installer\fd05b.msi Name : Simple DNSCrypt x64 Version : 0.7.1 Vendor : bitbeans InstallDate : 20200729 InstallSource : C:\Users\JOSEPH\Downloads\ PackageName : SimpleDNSCrypt64.msi LocalPackage : C:\Windows\Installer\2092a1.msi Name : Paraben's Dongle Manager Version : 1.3.5281.23638 Vendor : Paraben Corporation InstallDate : 20201124 InstallSource : C:\Program Files (x86)\Paraben Corporation\Device Seizure\DongleManager\ PackageName : DongleManager.MSI LocalPackage : C:\Windows\Installer\5fb35.msi Name : Python 2.7.18 (64-bit) Version : 2.7.18150 Vendor : Python Software Foundation InstallDate : 20201005 InstallSource : C:\Users\JOSEPH\Downloads\ PackageName : python-2.7.18.amd64.msi LocalPackage : C:\Windows\Installer\1dde8d.msi
Not all installed programs can be collected with the win32_product class. Taking a closer inspection at where the operating system stores programs with uninstall features, we look to 64the Windows registry; in particular, under the HKLM\Software hive (“32-bit and 64-bit Application Data in the Registry”). If the program installed as a 64-bit application, the listing will be found under:
HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*google*" | Select-Object DisplayName, DisplayVersion, InstallDate, InstallLocation, Publisher
DisplayName : Google Chrome
DisplayVersion : 99.0.4844.84
InstallDate : 20220331
InstallLocation : C:\Program Files (x86)\Google\Chrome\Application
Publisher : Google LLC
Otherwise, if the program is installed as a 32-bit application, the listing will be at
HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\
PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*google*" | Select-Object DisplayName, DisplayVersion, InstallDate, InstallLocation, Publisher
DisplayName : Backup and Sync from Google
DisplayVersion : 3.57.4043.4118
InstallDate : 20211026
InstallLocation :
Publisher : Google, Inc.
DisplayName : Google Drive
DisplayVersion : 56.0.11.0
InstallDate :
InstallLocation : C:\Program Files\Google\Drive File Stream\56.0.11.0\GoogleDriveFS.exe
Publisher : Google LLC
OS Build and HotFixes
In addition to getting a list of installed programs with their respective version number, The incident responder might wish to inspect both the OS build number as well as installed hotfixes.
To get the OS release version on the current system, we target the ReleaseId object with the following command:
PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\" | Select-Object ReleaseId ReleaseId --------- 2009
To obtain the OS build number, the Get-CimInstance cmdlet can be used to access the Win32_OperatingSystem class
PS C:\Users\JOSEPH> Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, servicepackmajorversion, BuildNumber, CSName, LastBootUpTime Caption : Microsoft Windows 10 Pro Version : 10.0.10240 servicepackmajorversion : 0 BuildNumber : 10240 CSName : DESKTOP-1B6BSHH LastBootUpTime : 6/11/2022 9:58:57 PM
Gathering a list of hotfixes is straightforward with PowerShell by leveraging the Get-Hotfix cmdlet. This cmdlet can be used without any additional parameters, resulting in all installed hotfixes displayed to the console.
PS C:\Users\JOSEPH> Get-HotFixSource Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- DESKTOP-1B... Update KB3074678 8/2/2015 12:00:00 AM DESKTOP-1B... Security Update KB3074683 8/2/2015 12:00:00 AM DESKTOP-1B... Update KB3074686 8/2/2015 12:00:00 AM DESKTOP-1B... Update KB3102495 DESKTOP-1B6BSHH\J... 8/1/2020 12:00:00 AM DESKTOP-1B... Update KB3125217 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM DESKTOP-1B... Update KB3151900 DESKTOP-1B6BSHH\J... 11/23/2020 12:00:00 AM DESKTOP-1B... Update KB3161102 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Security Update KB3172729 NT AUTHORITY\SYSTEM 1/25/2020 12:00:00 AM DESKTOP-1B... Update KB3173427 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Update KB4021701 NT AUTHORITY\SYSTEM 1/11/2020 12:00:00 AM DESKTOP-1B... Update KB4033631 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM DESKTOP-1B... Update KB4134662 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Security Update KB4022727 NT AUTHORITY\SYSTEM 1/22/2020 12:00:00 AM
If there’s a specific hotfix of interest, simply add the hotfix name following the cmdlet
PS C:\Users\JOSEPH> Get-HotFix KB4022727 Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- DESKTOP-1B... Security Update KB4022727 NT AUTHORITY\SYSTEM 1/22/2020 12:00:00 AM
You may wish to get a list of hotfixes installed within a given timeframe
PS C:\Users\JOSEPH> Get-HotFix | where InstalledOn -gt (get-date 2020/01/01) | where InstalledOn -lt (get-date 2020/12/31)
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
DESKTOP-1B... Update KB3102495 DESKTOP-1B6BSHH\J... 8/1/2020 12:00:00 AM
DESKTOP-1B... Update KB3125217 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM
DESKTOP-1B... Update KB3151900 DESKTOP-1B6BSHH\J... 11/23/2020 12:00:00 AM
DESKTOP-1B... Update KB3161102 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM
DESKTOP-1B... Security Update KB3172729 NT AUTHORITY\SYSTEM 1/25/2020 12:00:00 AM
DESKTOP-1B... Update KB3173427 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM
DESKTOP-1B... Update KB4021701 NT AUTHORITY\SYSTEM 1/11/2020 12:00:00 AM
DESKTOP-1B... Update KB4033631 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM
DESKTOP-1B... Update KB4134662 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM
DESKTOP-1B... Security Update KB4022727 NT AUTHORITY\SYSTEM 1/22/2020 12:00:00 AM
The above command shows a list of hotfixes installed between Jan 1 - Dec 31, 2020
Running Processes
The Get-Process cmdlet returns a listing of running processes on a system.
PS C:\Users\JOSEPH> Get-Process
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
275 20 28952 11260 104 8.94 1056 AnyDesk
234 17 28984 10384 112 0.86 4924 AnyDesk
264 16 12268 23772 ...71 5.34 7600 ApplicationFrameHost
102 7 1820 4512 113 2028 armsvc
343 20 5196 14892 178 0.59 536 browser_assistant
148 13 3404 7400 160 0.17 6844 browser_assistant
277 14 4272 13188 ...51 0.63 9036 browser_broker
562 33 34008 37256 ...08 143.84 6960 CCleaner64
39 4 1580 2584 ...69 0.09 8460 cmd
329 25 13668 23328 113 440 CodeMeter
To identify the owning process from the example above, the Process ID (PID) can be used as follows:
PS C:\Users\JOSEPH> Get-Process | Select-Object StartTime, ProcessName, ID, Path | where id -eq 6960
StartTime ProcessName Id Path
--------- ----------- -- ----
6/11/2022 10:02:05 PM CCleaner64 6960
However, the Get-Process cmdlet lacks some additional details such as the parent process and command-line arguments provided at start time. For this detail, the Get-CimInstance cmdlet comes in handy once again.
PS C:\Users\JOSEPH> Get-CimInstance –ClassName Win32_Process | Select-Object CreationDate, ProcessName, ProcessID, CommandLine, ParentProcessId | where ProcessID -eq 6960 CreationDate : 6/11/2022 10:02:05 PM ProcessName : CCleaner64.exe ProcessID : 6960 CommandLine : ParentProcessId : 6932
Services
Getting a list of running services can be done in a number of ways via Powershell. One approach is to use the Get-Service cmdlet:
PS C:\Users\JOSEPH> Get-Service | Select-Object Name, DisplayName, Status, StartType
Name DisplayName Status StartTy
pe
---- ----------- ------ -------
AdobeARMservice Adobe Acrobat Update Service Running ...atic
AdobeFlashPlayerFeedbackSvc Adobe Flash Player Feedback Service Running ...atic
AJRouter AllJoyn Router Service Stopped Manual
ALG Application Layer Gateway Service Stopped Manual
AnyDesk AnyDesk Service Running ...atic
AppIDSvc Application Identity Stopped Manual
Appinfo Application Information Running Manual
AppMgmt Application Management Stopped Manual
PS C:\Users\JOSEPH> Get-CimInstance Win32_Service | Select-Object Name, DisplayName, StartMode, State, PathName, StartName, ServiceTypeName : AdobeARMservice DisplayName : Adobe Acrobat Update Service StartMode : Auto State : Running PathName : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" StartName : LocalSystem ServiceType : Own Process Name : AdobeFlashPlayerFeedbackSvc DisplayName : Adobe Flash Player Feedback Service StartMode : Auto State : Running PathName : C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerFeedbackService.exe StartName : LocalSystem ServiceType : Own Process Name : AJRouter DisplayName : AllJoyn Router Service StartMode : Manual State : Stopped PathName : C:\Windows\system32\svchost.exe -k LocalService StartName : NT AUTHORITY\LocalService ServiceType : Share Process
Logged On Users
The Get-CimInstance cmdlet used with the Win32_ComputerSystem class returns the currently logged-on user as well as a few more attributes that may be handy to an incident responder.
PS C:\Users\JOSEPH> Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object Name, UserName, PrimaryOwnerName, Domain, TotalPhysicalMemory, Model, Manufacturer
Name : DESKTOP-1B6BSHH
UserName : DESKTOP-1B6BSHH\JOSEPH
PrimaryOwnerName : JOSEPH
Domain : WORKGROUP
TotalPhysicalMemory : 4135960576
Model : HP 250 G5 Notebook PC
Manufacturer : HP
Scheduled Tasks and Scheduled Jobs
To view all scheduled tasks on a system, use the Get-ScheduledTask cmdlet. There are a significant number of scheduled tasks found out-of-the-box on any given Windows system. Collecting them all across the environment may be a good baselining effort; however, for the purposes of finding evil in a scenario where a good baseline has not been established, filtering out some of this noise is ideal.
PS C:\Users\JOSEPH> Get-ScheduledTask | Select-Object TaskName, TaskPath, Date, Author, Actions, Triggers, Description, State | where Author -NotLike 'Microsoft*' | where Author -ne $null | where Author -NotLike '*@%SystemRoot%\*'
TaskName : Adobe Acrobat Update Task
TaskPath : \
Date :
Author : Adobe Systems Incorporated
Actions : {MSFT_TaskExecAction}
Triggers : {MSFT_TaskLogonTrigger, MSFT_TaskDailyTrigger}
Description : This task keeps your Adobe Reader and Acrobat applications up to date with the latest enhancements and
security fixes
State : Ready
TaskName : CCleanerSkipUAC - JOSEPH
TaskPath : \
Date :
Author : Piriform Software Ltd
Actions : {MSFT_TaskExecAction}
Triggers :
Description :
State : Ready
TaskName : Opera scheduled assistant Autoupdate 1615156303
TaskPath : \
Date :
Author : DESKTOP-1B6BSHH\JOSEPH
Actions : {MSFT_TaskExecAction}
Triggers : {MSFT_TaskDailyTrigger, MSFT_TaskLogonTrigger}
Description : Keeps Opera Browser Assistant up to date
State : Ready
TaskName : Opera scheduled Autoupdate 1615156210
TaskPath : \
Date :
Author : DESKTOP-1B6BSHH\JOSEPH
Actions : {MSFT_TaskExecAction}
Triggers : {MSFT_TaskDailyTrigger, MSFT_TaskLogonTrigger}
Description : Keeps Opera up to date.
State : Ready
TaskName : smadav
TaskPath : \
Date :
Author : JOSEPH
Actions : {MSFT_TaskExecAction}
Triggers : {MSFT_TaskLogonTrigger}
Description : Smadav
State : Ready
TaskName : Start Driver Reviver Check Driver Update
TaskPath : \
Date :
Author : ReviverSoft
Actions : {MSFT_TaskExecAction}
Triggers : {MSFT_TaskTimeTrigger}
Description :
State : Ready
To obtain the details of a given task, the Export-ScheduledTask cmdlet can be used, which outputs an xml formatted listing of a task’s details:
PS C:\Users\JOSEPH> Export-ScheduledTask -TaskName smadav
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>JOSEPH</Author>
<Description>Smadav</Description>
<URI>\smadav</URI>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-567446565-752261182-456724567-1002</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
</Settings>
<Triggers>
<LogonTrigger />
</Triggers>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Smadav\SMΔRTP.exe</Command>
<Arguments>rtp</Arguments>
<WorkingDirectory>C:\Program Files (x86)\Smadav</WorkingDirectory>
</Exec>
</Actions>
</Task>
Scheduled Jobs are a little different than scheduled tasks. Schedule jobs are relevant only to the execution of PowerShell; they can be thought of as a “hybrid of background jobs and scheduled tasks”. First, use the Get-ScheduledJob cmdlet to see a listing of Scheduled Jobs on a system.
PS C:\Users\JOSEPH> Get-ScheduledJobResults of a scheduled job get saved. To view these results, start off with the Get-Job cmdlet. Once the job has been completed, the results can be collected with the Receive-Job cmdlet.
USB Device Usage
Obtaining the recent USB devices used can certainly be important when performing forensic investigations or incident response actions. This can either help determine if information was exfiltrated from the system, or if USB insertion could be the cause of malware infection. The first part of that process is to determine what USB devices have been detected. The necessary powershell command is shown below.
PS C:\Users\JOSEPH> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName
FriendlyName
------------
General USB Flash Disk USB Device
Generic Flash Disk USB Device
Generic Mass-Storage USB Device
WD Elements 25A2 USB Device
Event Logs
The Get-EventLog CmdLet is also useful for acquiring events from event logs. The below commands depicts several usage examples. Each identifies a different log file and requests the newest 20 events. Note that if the security event log is requested, you must have administrative privileges in order to access this.
Get-EventLog -logName system -Newest 20 Get-EventLog -logName application -Newest 20 Get-EventLog -logName security -Newest 20
- Error
- Information
- Failure Audit
- Success Audit
- Warning
If, for example, we only want to see events that are of type error or warning and filter out the general informational messages. Based on this, a more refined command could be created that will extract only the target events Warning or Error and specify specific properties associated with the event log to be displayed.
PS C:\Users\JOSEPH> Get-Eventlog -LogName system -Newest 20 | Select-Object -Property TimeGenerated, Source, EntryType, Message | where {$_.EntryType -eq "warning" -or $_.EntryType -eq "error"} TimeGenerated Source EntryType Message ------------- ------ --------- ------- 6/12/2022 1:08:27 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name win10.ipv6.microsoft.com. ... 6/12/2022 12:14:10 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name login.live.com timed out a... 6/12/2022 12:05:06 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name www.bing.com timed out aft... 6/11/2022 10:42:55 PM Microsoft-Windows-DNS-Client Warning Name resolution for the name 130.69.63.41.in-addr.arpa....
The Get-WinEvent cmdlet lists the events from event logs and event tracing files. The FilterHashTable cmdlet is primarily used with Get-WinEvent Cmdlet to filter the event logs.
Get-WinEvent -FilterHashtable @{Logname='security'; ID=4672} | select TimeCreated,ID,Message | ft –auto -wrap
PS C:\Users\JOSEPH> Get-WinEvent -FilterHashtable @{logname='system';starttime=((Get-Date).AddDays(-1))} | Select TimeCreated, ID, Message
TimeCreated Id Message
----------- -- -------
6/12/2022 7:58:00 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:53 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:53 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:50 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:56:00 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:23 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:23 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:21 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:20 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:53:00 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:53 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:53 AM 1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:49 AM 1 The mfevtp MMS Service entered the running state.
File Analysis and Alternate Data Streams
PowerShell also provides a convenient way to view both the streams associated to a file as well as its contents. The Get-Item cmdlet is used with ‘-Stream’ and a wildcard ‘*’ parameter to view all possible streams.
PS C:\Users\JOSEPH> Get-Item D:\forensic_cheatsheet.pdf -Stream *
FileName: D:\forensic_cheatsheet.pdf
Stream Length
------ ------
:$DATA 118162
Due to the fact that all files on an NTFS filesystem will have a ‘$DATA’ stream associated to it, the command can be adjusted slightly to show all other streams.
PS C:\Users\JOSEPH> Get-Item D:\forensic_cheatsheet.pdf -Stream * | where Stream -ne ':$DATA'
When a stream is identified, the contents can be viewed by using the Get-Content cmdlet:
Get-Content D:\forensic_cheatsheet.pdf -Stream <identified_stream>
Raw File Analysis
PowerShell supports a hexadecimal view with the Format-Hex cmdlet and using the ‘-Encoding’ parameter with value Byte
PS C:\Users\JOSEPH> Get-Content D:\forensic_cheatsheet.pdf -Encoding Byte | Format-Hex 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 25 % 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 50 P 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 44 D 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 46 F 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 2D - 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 31 1 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 2E . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 34 4 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 0A . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 25 % 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D0 Ð 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D4 Ô 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 C5 Å 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D8 Ø 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 0A . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
In the example above, PowerShell is not converting the content to hex, but rather presenting the output in that format. The format string operator ‘-f’ can be used to convert the output to hex.
Additionally, it may be desired to inspect the first few bytes of a given file. To do so, the ‘-ReadCount’ parameter is specified as follows:
PS C:\Users\JOSEPH> $magicBytes = '{0:X2}' -f (Get-Content D:\forensic_cheatsheet.pdf -Encoding Byte -ReadCount 4) PS C:\Users\JOSEPH> $magicBytes 25 50 44 46
File Hashing
Proper handling of files collected and examined during an incident response is a vital function for any incident response. To ensure the integrity of a file or artifact, incident handlers use cryptographic hashing algorithms such as MD5, SHA1 and SHA256. PowerShell provides this capability with the Get-FileHash cmdlet:
PS C:\Users\JOSEPH> Get-FileHash D:\evidence.log -Algorithm MD5 Algorithm Hash Path --------- ---- ---- MD5 9E15166788B9A53F93D25EBB21644F10 D:\evidence.log
Post a Comment