Powerforensics on powershell 5

I am trying to get a handle to a locked file in Powershell 5. I tried running the Copy-FileRaw cmdlet from PowerForensics, but get a "Could not find the filerecord requested.." error message. Is PowerForensics supported on Powershell 5?  

Parents
  • Jared,

    thanks for you response. The file of interest is the google chrome history file. Since it is locked by google, I am trying to find a way to  open it, and figured a raw file handle would be the way to go.

    I went through your suggestions. The get-filerecordindex seems to fail on the history file. I tried it on 2 systems and it failed on both. On one, I was able to get the index of the folder the history file exists in "c:\users\<user>\appdata\local\google\chrome\user data\default", and on the other, i was able to get the index of only "c:\users\<user>\appdata\local\google\chrome\user data".

     I used another tool to get the MFT record number, and tried using Get-ContentRaw -VolumeName C -IndexNumber <indexnumber>, and that did not work as well.

    Any suggestions much appreciated.

Reply
  • Jared,

    thanks for you response. The file of interest is the google chrome history file. Since it is locked by google, I am trying to find a way to  open it, and figured a raw file handle would be the way to go.

    I went through your suggestions. The get-filerecordindex seems to fail on the history file. I tried it on 2 systems and it failed on both. On one, I was able to get the index of the folder the history file exists in "c:\users\<user>\appdata\local\google\chrome\user data\default", and on the other, i was able to get the index of only "c:\users\<user>\appdata\local\google\chrome\user data".

     I used another tool to get the MFT record number, and tried using Get-ContentRaw -VolumeName C -IndexNumber <indexnumber>, and that did not work as well.

    Any suggestions much appreciated.

Children
No Data