PowerForensics is a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system.

features are included :

  • DD utility
  • Boot Sector parsing
    • Master Boot Record
    • Guid Partition Table
  • NTFS File System Structure parsing
    • Volume Boot Record ($Boot)
    • $AttrDef
    • $Volume
    • Master File Table
    • UsnJrnl
    • File Slack Space
    • MFT Slack Space
    • Unallocated Space
  • Windows Event Log parsing
  • Windows Registry Hive parsing
    • Registry Keys
    • Registry Values
    • Amcache.hve
    • UserAssist
    • NetworkList
    • TypedUrls
    • System Security Identifier
    • System Timezone
  • Windows Artifact parsing
    • Prefetch
    • Scheduled Job
    • ShellLink
  • Custom binary parsing language called BinShred

There are also a few additional capabilities to copy files in a forensically sound manner. All features are implemented from the ground up and do not rely on the Windows API.

For more information about installing modules from the PowerShell Gallery, seehttps://www.powershellgallery.com/.

[adsense size='1']

If you wish to install directly from this repository, Jakub Jareš wrote an excellent introduction to module installation, so we've adapted those instructions here for PowerForensics.

To begin open an internet browser and navigate to the main PowerForensics github page. Once on this page you will need to find the latest release, download PowerForensics.zip, and extract the module into your modules directory.

[adsense size='3']

for more info visit github