Windows Powershell Commands For Incident Response

The collection of system artifacts will depend on both the environment and the scenario at hand.  PowerShell enables access to a plethora of Windows artifacts that can serve useful during an incident response or merely as an approach for a system administrator to understand more about his/her environment.  It is not possible to list all significant data points, nor is it feasible to know every scenario.  Nevertheless, the concepts detailed in the following section should serve as examples for digital investigators to build upon. 

Information obtained from the analysis must be saved on the USB drive and not on the target system. Once the drive has been inserted, we can formulate a new command that redirects the output of a command to the evidence drive.


Once in the PowerShell, you can invoke the transcription service that will then log all of your operations. You invoke the transcription service as follows. (Note this assumes that you have inserted a removable drive D: that will store your evidence.)


set-location D:\
start-transcript d:\evidence.log -append -noclobber


At this point you can execute PowerShell commands. These commands and their corresponding results will be written to the evidence.log file.


Installed Programs

There are a number a ways to gather a list of installed programs on a given system.  From the perspective of PowerShell, two useful cmdlets come in play:   GetWMIObject and Get-CimInstance.  Both cmdlets can use the win32_product WMI class which represents products as they are installed by Windows Installer.


PS C:\Users\JOSEPH> Get-CimInstance -ClassName Win32_Product

Name             Caption                   Vendor                    Version                   IdentifyingNumber
----             -------                   ------                    -------                   -----------------
Accent RAR Pa... Accent RAR Password Re... Passcovery Co. Ltd.       20.9.48.3902              {6DF5C4C0-80C4-4F7D-9...
Python 3.6.3 ... Python 3.6.3 Tcl/Tk Su... Python Software Founda... 3.6.3150.0                {8FE3FFD1-2F7E-4EBB-A...
Python 3.6.3 ... Python 3.6.3 Documenta... Python Software Founda... 3.6.3150.0                {404A8C42-6B82-4B32-A...
IPTInstaller     IPTInstaller              HTC                       4.0.9                     {08208143-777D-4A06-B...
Accent ZIP Pa... Accent ZIP Password Re... Passcovery Co. Ltd.       20.9.48.3899              {0FD97384-03C7-44B4-A...
Python 3.6.3 ... Python 3.6.3 Executabl... Python Software Founda... 3.6.3150.0                {D3ABC2C4-85AF-4AFD-9...
Python 3.6.3 ... Python 3.6.3 Test Suit... Python Software Founda... 3.6.3150.0                {2C6B5217-ACF4-4082-B...
Python 3.6.3 ... Python 3.6.3 Utility S... Python Software Founda... 3.6.3150.0                {E3F016B8-A524-4F97-9...
Python 3.6.3 ... Python 3.6.3 pip Boots... Python Software Founda... 3.6.3150.0                {48EC8399-294B-40F5-8...
Passware Sear... Passware Search Index ... Passware                  4.3.6321                  {896A43C9-2695-4926-A...
GoTo Opener      GoTo Opener               LogMeIn, Inc.             1.0.539                   {E69269DB-A77B-4BC1-8...
DB Browser fo... DB Browser for SQLite     DB Browser for SQLite ... 3.11.2                    {ABCC928D-E47F-4867-9...


The Select-Object cmdlet can be used for a more refined output.  The following example shows how to select a desired list of objects associated with each installed program: 

PS C:\Users\JOSEPH> Get-CimInstance -ClassName Win32_Product | Select-Object Name, Version, Vendor, InstallDate, InstallSource, PackageName, LocalPackage Name : Accent RAR Password Recovery Version : 20.9.48.3902 Vendor : Passcovery Co. Ltd. InstallDate : 20201107 InstallSource : D:\hsoftware\New folder\ PackageName : AccentRPR_20.09_x64.msi LocalPackage : C:\Windows\Installer\b5847.msi Name : Python 3.6.3 Tcl/Tk Support (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{8FE3FFD1-2F7E-4EBB-A4B7-627E279DA70E}v3.6.3150.0\ PackageName : tcltk.msi LocalPackage : C:\Windows\Installer\2fd86.msi Name : Python 3.6.3 Documentation (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{404A8C42-6B82-4B32-AC7F-0583644A04F2}v3.6.3150.0\ PackageName : doc.msi LocalPackage : C:\Windows\Installer\2fd7c.msi Name : IPTInstaller Version : 4.0.9 Vendor : HTC InstallDate : 20201124 InstallSource : C:\Program Files (x86)\HTC\HTC Driver\ PackageName : IPTInstaller.msi LocalPackage : C:\Windows\Installer\5fb47.msi Name : Accent ZIP Password Recovery Version : 20.9.48.3899 Vendor : Passcovery Co. Ltd. InstallDate : 20201107 InstallSource : D:\hsoftware\New folder\ PackageName : AccentZPR_20.09_x64.msi LocalPackage : C:\Windows\Installer\b584d.msi Name : Python 3.6.3 Executables (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{D3ABC2C4-85AF-4AFD-94D4-F2B84F49BFEA}v3.6.3150.0\ PackageName : exe.msi LocalPackage : C:\Windows\Installer\2fd6d.msi Name : Python 3.6.3 Test Suite (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{2C6B5217-ACF4-4082-B19C-3463C9340E41}v3.6.3150.0\ PackageName : test.msi LocalPackage : C:\Windows\Installer\2fd77.msi Name : Python 3.6.3 Utility Scripts (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{E3F016B8-A524-4F97-9095-944C31A971E0}v3.6.3150.0\ PackageName : tools.msi LocalPackage : C:\Windows\Installer\2fd81.msi Name : Python 3.6.3 pip Bootstrap (64-bit) Version : 3.6.3150.0 Vendor : Python Software Foundation InstallDate : 20200105 InstallSource : C:\Users\JOSEPH\AppData\Local\Package Cache\{48EC8399-294B-40F5-8274-E2AFBF0CFCBE}v3.6.3150.0\ PackageName : pip.msi LocalPackage : C:\Windows\Installer\2fd90.msi Name : Passware Search Index Examiner 4.3 Demo Version : 4.3.6321 Vendor : Passware InstallDate : 20201108 InstallSource : D:\hsoftware\New folder\ PackageName : SearchIndexExaminer-demo.msi LocalPackage : C:\Windows\Installer\94abc2.msi Name : GoTo Opener Version : 1.0.539 Vendor : LogMeIn, Inc. InstallDate : 20201224 InstallSource : C:\Users\JOSEPH\AppData\Local\Temp\A694B59E-AB47-4B24-8682-CB8AE1CA7DE6\ PackageName : GoToOpener.msi LocalPackage : C:\Windows\Installer\fd05b.msi Name : Simple DNSCrypt x64 Version : 0.7.1 Vendor : bitbeans InstallDate : 20200729 InstallSource : C:\Users\JOSEPH\Downloads\ PackageName : SimpleDNSCrypt64.msi LocalPackage : C:\Windows\Installer\2092a1.msi Name : Paraben's Dongle Manager Version : 1.3.5281.23638 Vendor : Paraben Corporation InstallDate : 20201124 InstallSource : C:\Program Files (x86)\Paraben Corporation\Device Seizure\DongleManager\ PackageName : DongleManager.MSI LocalPackage : C:\Windows\Installer\5fb35.msi Name : Python 2.7.18 (64-bit) Version : 2.7.18150 Vendor : Python Software Foundation InstallDate : 20201005 InstallSource : C:\Users\JOSEPH\Downloads\ PackageName : python-2.7.18.amd64.msi LocalPackage : C:\Windows\Installer\1dde8d.msi


Not all installed programs can be collected with the win32_product class.  Taking a closer inspection at where the operating system stores programs with uninstall features, we look to 64the Windows registry; in particular, under the HKLM\Software hive (“32-bit and 64-bit Application Data in the Registry”).  If the program installed as a 64-bit application, the listing will be found under: 


HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\



PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*google*" | Select-Object DisplayName, DisplayVersion, InstallDate, InstallLocation, Publisher


DisplayName     : Google Chrome
DisplayVersion  : 99.0.4844.84
InstallDate     : 20220331
InstallLocation : C:\Program Files (x86)\Google\Chrome\Application
Publisher       : Google LLC 

Otherwise, if the program is installed as a 32-bit application, the listing will be at


HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\



PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*google*" | Select-Object DisplayName, DisplayVersion, InstallDate, InstallLocation, Publisher


DisplayName     : Backup and Sync from Google
DisplayVersion  : 3.57.4043.4118
InstallDate     : 20211026
InstallLocation :
Publisher       : Google, Inc.

DisplayName     : Google Drive
DisplayVersion  : 56.0.11.0
InstallDate     :
InstallLocation : C:\Program Files\Google\Drive File Stream\56.0.11.0\GoogleDriveFS.exe
Publisher       : Google LLC

OS Build and HotFixes

In addition to getting a list of installed programs with their respective version number, The incident responder might wish to inspect both the OS build number as well as installed hotfixes.


To get the OS release version on the current system, we target the ReleaseId object with the following command:

PS C:\Users\JOSEPH> Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\" | Select-Object ReleaseId ReleaseId --------- 2009


To obtain the OS build number,  the Get-CimInstance cmdlet can be used to access the Win32_OperatingSystem class



PS C:\Users\JOSEPH> Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, servicepackmajorversion, BuildNumber, CSName, LastBootUpTime Caption : Microsoft Windows 10 Pro Version : 10.0.10240 servicepackmajorversion : 0 BuildNumber : 10240 CSName : DESKTOP-1B6BSHH LastBootUpTime : 6/11/2022 9:58:57 PM


Gathering a list of hotfixes is straightforward with PowerShell by leveraging the Get-Hotfix cmdlet.  This cmdlet can be used without any additional parameters, resulting in all installed hotfixes displayed to the console.

PS C:\Users\JOSEPH> Get-HotFix

Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- DESKTOP-1B... Update KB3074678 8/2/2015 12:00:00 AM DESKTOP-1B... Security Update KB3074683 8/2/2015 12:00:00 AM DESKTOP-1B... Update KB3074686 8/2/2015 12:00:00 AM DESKTOP-1B... Update KB3102495 DESKTOP-1B6BSHH\J... 8/1/2020 12:00:00 AM DESKTOP-1B... Update KB3125217 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM DESKTOP-1B... Update KB3151900 DESKTOP-1B6BSHH\J... 11/23/2020 12:00:00 AM DESKTOP-1B... Update KB3161102 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Security Update KB3172729 NT AUTHORITY\SYSTEM 1/25/2020 12:00:00 AM DESKTOP-1B... Update KB3173427 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Update KB4021701 NT AUTHORITY\SYSTEM 1/11/2020 12:00:00 AM DESKTOP-1B... Update KB4033631 NT AUTHORITY\SYSTEM 1/18/2020 12:00:00 AM DESKTOP-1B... Update KB4134662 NT AUTHORITY\SYSTEM 1/17/2020 12:00:00 AM DESKTOP-1B... Security Update KB4022727 NT AUTHORITY\SYSTEM 1/22/2020 12:00:00 AM


If there’s a specific hotfix of interest, simply add the hotfix name following the cmdlet

PS C:\Users\JOSEPH> Get-HotFix KB4022727 Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- DESKTOP-1B... Security Update KB4022727 NT AUTHORITY\SYSTEM 1/22/2020 12:00:00 AM


You may wish to get a list of hotfixes installed within a given timeframe


PS C:\Users\JOSEPH> Get-HotFix | where InstalledOn -gt (get-date 2020/01/01) | where InstalledOn -lt (get-date 2020/12/31)

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
DESKTOP-1B... Update           KB3102495     DESKTOP-1B6BSHH\J... 8/1/2020 12:00:00 AM
DESKTOP-1B... Update           KB3125217     NT AUTHORITY\SYSTEM  1/18/2020 12:00:00 AM
DESKTOP-1B... Update           KB3151900     DESKTOP-1B6BSHH\J... 11/23/2020 12:00:00 AM
DESKTOP-1B... Update           KB3161102     NT AUTHORITY\SYSTEM  1/17/2020 12:00:00 AM
DESKTOP-1B... Security Update  KB3172729     NT AUTHORITY\SYSTEM  1/25/2020 12:00:00 AM
DESKTOP-1B... Update           KB3173427     NT AUTHORITY\SYSTEM  1/17/2020 12:00:00 AM
DESKTOP-1B... Update           KB4021701     NT AUTHORITY\SYSTEM  1/11/2020 12:00:00 AM
DESKTOP-1B... Update           KB4033631     NT AUTHORITY\SYSTEM  1/18/2020 12:00:00 AM
DESKTOP-1B... Update           KB4134662     NT AUTHORITY\SYSTEM  1/17/2020 12:00:00 AM
DESKTOP-1B... Security Update  KB4022727     NT AUTHORITY\SYSTEM  1/22/2020 12:00:00 AM       


The above command shows a list of hotfixes installed between Jan 1 - Dec 31, 2020


Running Processes

The Get-Process cmdlet returns a listing of running processes on a system.


PS C:\Users\JOSEPH> Get-Process

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    275      20    28952      11260   104     8.94   1056 AnyDesk
    234      17    28984      10384   112     0.86   4924 AnyDesk
    264      16    12268      23772 ...71     5.34   7600 ApplicationFrameHost
    102       7     1820       4512   113            2028 armsvc
    343      20     5196      14892   178     0.59    536 browser_assistant
    148      13     3404       7400   160     0.17   6844 browser_assistant
    277      14     4272      13188 ...51     0.63   9036 browser_broker
    562      33    34008      37256 ...08   143.84   6960 CCleaner64
     39       4     1580       2584 ...69     0.09   8460 cmd
    329      25    13668      23328   113             440 CodeMeter   


To identify the owning process from the example above, the Process ID (PID) can be used as follows:



PS C:\Users\JOSEPH> Get-Process | Select-Object StartTime, ProcessName, ID, Path | where id -eq 6960

StartTime             ProcessName   Id Path
---------             -----------   -- ----
6/11/2022 10:02:05 PM CCleaner64  6960     


However, the Get-Process cmdlet lacks some additional details such as the parent process and command-line arguments provided at start time.  For this detail, the Get-CimInstance cmdlet comes in handy once again.

PS C:\Users\JOSEPH> Get-CimInstance –ClassName Win32_Process | Select-Object CreationDate, ProcessName, ProcessID, CommandLine, ParentProcessId | where ProcessID -eq 6960 CreationDate : 6/11/2022 10:02:05 PM ProcessName : CCleaner64.exe ProcessID : 6960 CommandLine : ParentProcessId : 6932


Services

Getting a list of running services can be done in a number of ways via Powershell. One approach is to use the Get-Service cmdlet:



PS C:\Users\JOSEPH> Get-Service | Select-Object Name, DisplayName, Status, StartType

Name                                     DisplayName                                                     Status StartTy
                                                                                                                     pe
----                                     -----------                                                     ------ -------
AdobeARMservice                          Adobe Acrobat Update Service                                   Running ...atic
AdobeFlashPlayerFeedbackSvc              Adobe Flash Player Feedback Service                            Running ...atic
AJRouter                                 AllJoyn Router Service                                         Stopped  Manual
ALG                                      Application Layer Gateway Service                              Stopped  Manual
AnyDesk                                  AnyDesk Service                                                Running ...atic
AppIDSvc                                 Application Identity                                           Stopped  Manual
Appinfo                                  Application Information                                        Running  Manual
AppMgmt                                  Application Management                                         Stopped  Manual         

The Get-Service cmdlet, however, lacks some important service attributes that may want to be collected; such as the process the service launches, the account used as well as whether or not the service uses its own process or a shared process.  For this information, the Get-CimInstance cmdlet can be used with the Win32_Service class.


PS C:\Users\JOSEPH> Get-CimInstance Win32_Service | Select-Object Name, DisplayName, StartMode, State, PathName, StartName, ServiceType

Name : AdobeARMservice DisplayName : Adobe Acrobat Update Service StartMode : Auto State : Running PathName : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" StartName : LocalSystem ServiceType : Own Process Name : AdobeFlashPlayerFeedbackSvc DisplayName : Adobe Flash Player Feedback Service StartMode : Auto State : Running PathName : C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerFeedbackService.exe StartName : LocalSystem ServiceType : Own Process Name : AJRouter DisplayName : AllJoyn Router Service StartMode : Manual State : Stopped PathName : C:\Windows\system32\svchost.exe -k LocalService StartName : NT AUTHORITY\LocalService ServiceType : Share Process


Logged On Users

The Get-CimInstance cmdlet used with the Win32_ComputerSystem class returns the currently logged-on user as well as a few more attributes that may be handy to an incident responder.



PS C:\Users\JOSEPH>  Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object Name, UserName, PrimaryOwnerName, Domain, TotalPhysicalMemory, Model, Manufacturer


Name                : DESKTOP-1B6BSHH
UserName            : DESKTOP-1B6BSHH\JOSEPH
PrimaryOwnerName    : JOSEPH
Domain              : WORKGROUP
TotalPhysicalMemory : 4135960576
Model               : HP 250 G5 Notebook PC
Manufacturer        : HP  


Scheduled Tasks and Scheduled Jobs

To view all scheduled tasks on a system, use the Get-ScheduledTask cmdlet.  There are a significant number of scheduled tasks found out-of-the-box on any given Windows system.  Collecting them all across the environment may be a good baselining effort; however, for the purposes of finding evil in a scenario where a good baseline has not been established, filtering out some of this noise is ideal.


PS C:\Users\JOSEPH>  Get-ScheduledTask | Select-Object TaskName, TaskPath, Date, Author, Actions, Triggers, Description, State | where Author -NotLike 'Microsoft*' | where Author -ne $null | where Author -NotLike '*@%SystemRoot%\*'


TaskName    : Adobe Acrobat Update Task
TaskPath    : \
Date        :
Author      : Adobe Systems Incorporated
Actions     : {MSFT_TaskExecAction}
Triggers    : {MSFT_TaskLogonTrigger, MSFT_TaskDailyTrigger}
Description : This task keeps your Adobe Reader and Acrobat applications up to date with the latest enhancements and
              security fixes
State       : Ready

TaskName    : CCleanerSkipUAC - JOSEPH
TaskPath    : \
Date        :
Author      : Piriform Software Ltd
Actions     : {MSFT_TaskExecAction}
Triggers    :
Description :
State       : Ready

TaskName    : Opera scheduled assistant Autoupdate 1615156303
TaskPath    : \
Date        :
Author      : DESKTOP-1B6BSHH\JOSEPH
Actions     : {MSFT_TaskExecAction}
Triggers    : {MSFT_TaskDailyTrigger, MSFT_TaskLogonTrigger}
Description : Keeps Opera Browser Assistant up to date
State       : Ready

TaskName    : Opera scheduled Autoupdate 1615156210
TaskPath    : \
Date        :
Author      : DESKTOP-1B6BSHH\JOSEPH
Actions     : {MSFT_TaskExecAction}
Triggers    : {MSFT_TaskDailyTrigger, MSFT_TaskLogonTrigger}
Description : Keeps Opera up to date.
State       : Ready

TaskName    : smadav
TaskPath    : \
Date        :
Author      : JOSEPH
Actions     : {MSFT_TaskExecAction}
Triggers    : {MSFT_TaskLogonTrigger}
Description : Smadav
State       : Ready

TaskName    : Start Driver Reviver Check Driver Update
TaskPath    : \
Date        :
Author      : ReviverSoft
Actions     : {MSFT_TaskExecAction}
Triggers    : {MSFT_TaskTimeTrigger}
Description :
State       : Ready  


To obtain the details of a given task, the Export-ScheduledTask cmdlet can be used, which outputs an xml formatted listing of a task’s details:  


PS C:\Users\JOSEPH> Export-ScheduledTask -TaskName smadav
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>JOSEPH</Author>
<Description>Smadav</Description>
<URI>\smadav</URI>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-567446565-752261182-456724567-1002</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
</Settings>
<Triggers>
<LogonTrigger />
</Triggers>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Smadav\SMΔRTP.exe</Command>
<Arguments>rtp</Arguments>
<WorkingDirectory>C:\Program Files (x86)\Smadav</WorkingDirectory>
</Exec>
</Actions>
</Task>


Scheduled Jobs are a little different than scheduled tasks.  Schedule jobs are relevant only to the execution of PowerShell; they can be thought of as a “hybrid of background jobs and scheduled tasks”.  First, use the Get-ScheduledJob cmdlet to see a listing of Scheduled Jobs on a system.


PS C:\Users\JOSEPH>  Get-ScheduledJob


Results of a scheduled job get saved.  To view these results, start off with the Get-Job cmdlet.  Once the job has been completed, the results can be collected with the Receive-Job cmdlet.


USB Device Usage

Obtaining the recent USB devices used can certainly be important when performing forensic investigations or incident response actions. This can either help determine if information was exfiltrated from the system, or if USB insertion could be the cause of malware infection. The first part of that process is to determine what USB devices have been detected. The necessary powershell command is shown below.


PS C:\Users\JOSEPH> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName

FriendlyName
------------
General USB Flash Disk USB Device
Generic Flash Disk USB Device
Generic Mass-Storage USB Device
WD Elements 25A2 USB Device

Event Logs

The Get-EventLog CmdLet is also useful for acquiring events from event logs. The below commands depicts several usage examples. Each identifies a different log file and requests the newest 20 events. Note that if the security event log is requested, you must have administrative privileges in order to access this.

Get-EventLog -logName system -Newest 20 Get-EventLog -logName application -Newest 20 Get-EventLog -logName security -Newest 20



Taking into consideration the excerpt of the Get-Help Get-EventLog result shown in the Figure above, the possible EntryTypes listed are:

  • Error
  • Information
  • Failure Audit
  • Success Audit
  • Warning


If, for example, we only want to see events that are of type error or warning and filter out the general informational messages. Based on this, a more refined command could be created that will extract only the target events Warning or Error and specify specific properties associated with the event log to be displayed.

PS C:\Users\JOSEPH> Get-Eventlog -LogName system -Newest 20 | Select-Object -Property TimeGenerated, Source, EntryType, Message | where {$_.EntryType -eq "warning" -or $_.EntryType -eq "error"} TimeGenerated Source EntryType Message ------------- ------ --------- ------- 6/12/2022 1:08:27 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name win10.ipv6.microsoft.com. ... 6/12/2022 12:14:10 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name login.live.com timed out a... 6/12/2022 12:05:06 AM Microsoft-Windows-DNS-Client Warning Name resolution for the name www.bing.com timed out aft... 6/11/2022 10:42:55 PM Microsoft-Windows-DNS-Client Warning Name resolution for the name 130.69.63.41.in-addr.arpa....

The Get-WinEvent cmdlet lists the events from event logs and event tracing files. The FilterHashTable cmdlet is primarily used with Get-WinEvent Cmdlet to filter the event logs.

Get-WinEvent -FilterHashtable @{Logname='security'; ID=4672} | select TimeCreated,ID,Message | ft –auto -wrap



PS C:\Users\JOSEPH>  Get-WinEvent -FilterHashtable @{logname='system';starttime=((Get-Date).AddDays(-1))} | Select TimeCreated, ID, Message

TimeCreated             Id Message
-----------             -- -------
6/12/2022 7:58:00 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:53 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:53 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:57:50 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:56:00 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:23 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:23 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:21 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:55:20 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:53:00 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:53 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:53 AM     1 The mfevtp MMS Service entered the running state.
6/12/2022 7:52:49 AM     1 The mfevtp MMS Service entered the running state.    

 

File Analysis and Alternate Data Streams

PowerShell also provides a convenient way to view both the streams associated to a file as well as its contents. The Get-Item cmdlet is used with ‘-Stream’ and a wildcard ‘*’ parameter to view all possible streams.


PS C:\Users\JOSEPH> Get-Item D:\forensic_cheatsheet.pdf -Stream *


   FileName: D:\forensic_cheatsheet.pdf

Stream                   Length
------                   ------
:$DATA                   118162  


Due to the fact that all files on an NTFS filesystem will have a ‘$DATA’ stream associated to it, the command can be adjusted slightly to show all other streams.



PS C:\Users\JOSEPH> Get-Item D:\forensic_cheatsheet.pdf -Stream * | where Stream -ne ':$DATA'    


When a stream is identified, the contents can be viewed by using the Get-Content cmdlet: 

Get-Content D:\forensic_cheatsheet.pdf -Stream <identified_stream>


Raw File Analysis

PowerShell supports a hexadecimal view with the Format-Hex cmdlet and using the ‘-Encoding’ parameter with value Byte

PS C:\Users\JOSEPH> Get-Content D:\forensic_cheatsheet.pdf -Encoding Byte | Format-Hex 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 25 % 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 50 P 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 44 D 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 46 F 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 2D - 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 31 1 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 2E . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 34 4 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 0A . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 25 % 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D0 Ð 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D4 Ô 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 C5 Å 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 D8 Ø 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 0A . 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


In the example above, PowerShell is not converting the content to hex, but rather presenting the output in that format.  The format string operator ‘-f’ can be used to convert the output to hex. 


Additionally, it may be desired to inspect the first few bytes of a given file.  To do so, the ‘-ReadCount’ parameter is specified as follows: 

PS C:\Users\JOSEPH> $magicBytes = '{0:X2}' -f (Get-Content D:\forensic_cheatsheet.pdf -Encoding Byte -ReadCount 4) PS C:\Users\JOSEPH> $magicBytes 25 50 44 46


File Hashing

Proper handling of files collected and examined during an incident response is a vital function for any incident response. To ensure the integrity of a file or artifact, incident handlers use cryptographic hashing algorithms such as MD5, SHA1 and SHA256.  PowerShell provides this capability with the Get-FileHash cmdlet: 

PS C:\Users\JOSEPH> Get-FileHash D:\evidence.log -Algorithm MD5 Algorithm Hash Path --------- ---- ---- MD5 9E15166788B9A53F93D25EBB21644F10 D:\evidence.log


Post a Comment

Previous Post Next Post