Powerforensics on powershell 5

I am trying to get a handle to a locked file in Powershell 5. I tried running the Copy-FileRaw cmdlet from PowerForensics, but get a "Could not find the filerecord requested.." error message. Is PowerForensics supported on Powershell 5?  

Parents
  • Hi psetty,

    PowerForensics is PowerShell v5 compatible, but there may be an anomaly in your Master File Table that I have not come across in my testing.  

    There are a couple things that we can do to try to figure this issue out.  First I want you to determine the MFT Record Index for the file you are trying to copy Get-FileRecordIndex -Path C:\path\to\your\file.  Next I want you to determine the size of the MFT itself.  The cmdlet Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {$_.Name -eq "DATA"}  will return the DATA attribute for the $MFT file itself, and we can determine the size of the MFT using the RealSize value.  

    These values should help us determine where the error is coming from.

Reply
  • Hi psetty,

    PowerForensics is PowerShell v5 compatible, but there may be an anomaly in your Master File Table that I have not come across in my testing.  

    There are a couple things that we can do to try to figure this issue out.  First I want you to determine the MFT Record Index for the file you are trying to copy Get-FileRecordIndex -Path C:\path\to\your\file.  Next I want you to determine the size of the MFT itself.  The cmdlet Get-FileRecord -Index 0 | select -ExpandProperty Attribute | Where-Object {$_.Name -eq "DATA"}  will return the DATA attribute for the $MFT file itself, and we can determine the size of the MFT using the RealSize value.  

    These values should help us determine where the error is coming from.

Children
No Data