Powerforensics on powershell 5

I am trying to get a handle to a locked file in Powershell 5. I tried running the Copy-FileRaw cmdlet from PowerForensics, but get a "Could not find the filerecord requested.." error message. Is PowerForensics supported on Powershell 5?  

  • The issue seems like it is related to FileRecordIndex not being found for certain files, rather than Powershell 5.

  • Hi psetty,

    PowerForensics is PowerShell v5 compatible, but there may be an anomaly in your Master File Table that I have not come across in my testing.  

    There are a couple things that we can do to try to figure this issue out.  First I want you to determine the MFT Record Index for the file you are trying to copy Get-FileRecordIndex -Path C:\path\to\your\file.  Next I want you to determine the size of the MFT itself.  The cmdlet Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {$_.Name -eq "DATA"}  will return the DATA attribute for the $MFT file itself, and we can determine the size of the MFT using the RealSize value.  

    These values should help us determine where the error is coming from.

  • If that is the case then my previous answer wont work! Lets see if we can pinpoint the error by running Get-FileRecordIndex on each directory leading up to the desired file. Ex. Get-FileRecordIndex -Path C:\ then Get-FileRecordIndex -Path C:\Windows until you get the error.

  • Jared,

    thanks for you response. The file of interest is the google chrome history file. Since it is locked by google, I am trying to find a way to  open it, and figured a raw file handle would be the way to go.

    I went through your suggestions. The get-filerecordindex seems to fail on the history file. I tried it on 2 systems and it failed on both. On one, I was able to get the index of the folder the history file exists in "c:\users\<user>\appdata\local\google\chrome\user data\default", and on the other, i was able to get the index of only "c:\users\<user>\appdata\local\google\chrome\user data".

     I used another tool to get the MFT record number, and tried using Get-ContentRaw -VolumeName C -IndexNumber <indexnumber>, and that did not work as well.

    Any suggestions much appreciated.

  • PS C:\Windows\system32> Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {$_.Name -eq "DATA"}

     

    AllocatedSize   : 441450496

    RealSize        : 441450496

    InitializedSize : 441450496

    DataRun         : {PowerForensics.Ntfs.DataRun}

    Name            : DATA

    NameString      : 

    AttributeId     : 1

     

    The History file had an index # of 335452