# Powerforensics on powershell 5

I am trying to get a handle to a locked file in Powershell 5. I tried running the Copy-FileRaw cmdlet from PowerForensics, but get a "Could not find the filerecord requested.." error message. Is PowerForensics supported on Powershell 5?

• The issue seems like it is related to FileRecordIndex not being found for certain files, rather than Powershell 5.

• Hi psetty,

PowerForensics is PowerShell v5 compatible, but there may be an anomaly in your Master File Table that I have not come across in my testing.

There are a couple things that we can do to try to figure this issue out.  First I want you to determine the MFT Record Index for the file you are trying to copy Get-FileRecordIndex -Path C:\path\to\your\file.  Next I want you to determine the size of the MFT itself.  The cmdlet Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {$_.Name -eq "DATA"} will return the DATA attribute for the$MFT file itself, and we can determine the size of the MFT using the RealSize value.

These values should help us determine where the error is coming from.

• If that is the case then my previous answer wont work! Lets see if we can pinpoint the error by running Get-FileRecordIndex on each directory leading up to the desired file. Ex. Get-FileRecordIndex -Path C:\ then Get-FileRecordIndex -Path C:\Windows until you get the error.

• Jared,

thanks for you response. The file of interest is the google chrome history file. Since it is locked by google, I am trying to find a way to  open it, and figured a raw file handle would be the way to go.

I went through your suggestions. The get-filerecordindex seems to fail on the history file. I tried it on 2 systems and it failed on both. On one, I was able to get the index of the folder the history file exists in "c:\users\<user>\appdata\local\google\chrome\user data\default", and on the other, i was able to get the index of only "c:\users\<user>\appdata\local\google\chrome\user data".

I used another tool to get the MFT record number, and tried using Get-ContentRaw -VolumeName C -IndexNumber <indexnumber>, and that did not work as well.

Any suggestions much appreciated.

• PS C:\Windows\system32> Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {\$_.Name -eq "DATA"}

AllocatedSize   : 441450496

RealSize        : 441450496

InitializedSize : 441450496

DataRun         : {PowerForensics.Ntfs.DataRun}

Name            : DATA

NameString      :

AttributeId     : 1

The History file had an index # of 335452