Skip to content

PowerForensics v1.0
Compare
Choose a tag to compare
@jaredcatkinson jaredcatkinson released this 18 Nov 19:18
· 118 commits to master since this release
v1.0
a34f9df

This is the official release of PowerForensics, a PowerShell module for performing hard drive forensic analysis.

The following features are included in this release:

  • DD utility
  • Boot Sector parsing
    • Master Boot Record
    • Guid Partition Table
  • NTFS File System Structure parsing
    • Volume Boot Record ($Boot)
    • $AttrDef
    • $Volume
    • Master File Table
    • UsnJrnl
    • File Slack Space
    • MFT Slack Space
    • Unallocated Space
  • Windows Event Log parsing
  • Windows Registry Hive parsing
    • Registry Keys
    • Registry Values
    • Amcache.hve
    • UserAssist
    • NetworkList
    • TypedUrls
    • System Security Identifier
    • System Timezone
  • Windows Artifact parsing
    • Prefetch
    • Scheduled Job
    • ShellLink
  • Custom binary parsing language called BinShred

There are also a few additional capabilities to copy files in a forensically sound manner. All features are implemented from the ground up and do not rely on the Windows API.

Assets 2
Loading