Friday, March 4, 2016

Forensic Friday: Get-ForensicChildItem

[This is a continuation of my Forensic Friday series.  Every Friday I provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

 Welcome to another edition of Forensic Friday. I've been incredibly busy this week, but I want to touch on a very useful cmdlet called Get-ForensicChildItem. Those with a PowerShell background can probably guess what Get-ForensicChildItem does. For those that are new to PowerShell Get-ChildItem is the cmdlet that is used for directory listings (among other things). Get-ForensicChildItem performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains.

To understand what is happening it’s important to know that NTFS treats directories just like any other file. This means that directories each have an entry in the MFT. All NTFS does to differentiate a directory file from a data file is flip a bit in a flag field and adds special $INDEX_ROOT and $INDEX_ALLOCATION attributes to the directory file’s MFT entry. Get-ForensicChildItem parses these attributes to return the contents of a directory (including System and Hidden files).

 Common Use

List all children of a directory (example targets the root of the C: volume):
Get-ForensicChildItem -Path C:\

List the children of the current working directory (example uses the C:\temp directory):

Get-ForensicChildItem

Return an MFT entry for every file in a directory (example uses the root directory of the C: volume):

Get-ForensicChildItem -Path C:\ | Get-ForensicFileRecord
Posted by at
Labels: , , ,

23 comments:

  1. CouponforlessSeptember 10, 2019 at 12:18 AM

    Couponforless

    ReplyDelete
  2. CouponforlessJanuary 6, 2020 at 11:25 PM

    Get Up to 30% OFF on your Machines at BikeBandit. Enjoy Now!
    https://couponforless.com/store/bikebandit.com

    ReplyDelete
  3. SarahJanuary 31, 2021 at 4:15 AM

    Instantly this web site will irrefutably frequently end up being notable regarding all weblog consumers, due to diligent reviews as well as checks. Graphics Designing

    ReplyDelete
  4. Bizop1234May 22, 2021 at 12:41 AM

    A good business plan can save you time to succeed. I also have a tutorial page for those who are just start a new business. A very necessary condition for you when starting an idea. Find out about me.

    ReplyDelete
  5. majortotositeproAugust 11, 2021 at 8:26 PM

    Hello, I’m happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look 메이저사이트


    ReplyDelete
  6. racesiteproAugust 11, 2021 at 8:26 PM

    I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it. 경마

    ReplyDelete
  7. oncasinositenetAugust 11, 2021 at 8:27 PM

    Pretty! This was an extremely wonderful post. Thank you for providing this info 카지노


    ReplyDelete
  8. totopickproAugust 11, 2021 at 8:27 PM

    Wonderful, what a blog it is! This weblog gives useful facts to us, keep it up. 사설토토

    ReplyDelete
  9. oncadaycommSeptember 2, 2021 at 6:46 AM

    this is interesting topic that's needs to be tackle . this site will bring you to the fullest 카지노커뮤니티
    (mm)

    ReplyDelete
  10. crackerrSeptember 22, 2021 at 9:57 AM

    ForensicChildItem performs the same task, but without the Windows API. It parses the Master File Table (MFT) to find the entry for the target directory and outputs a list of files the directory contains. click this site

    ReplyDelete
  11. UnknownSeptember 24, 2021 at 1:54 AM

    Thanks for this great and very informative post share with us
    visit here
    forevercrack.com

    ReplyDelete
  12. SalmanOctober 12, 2021 at 8:44 AM

    Thanks For This Great and Very Informative Post Share With us....

    Activators 4 Windows Free Activators for Windows

    ReplyDelete
  13. crackgurusOctober 13, 2021 at 7:23 AM

    Normally I do not read post on blogs, but I wish to say that this write-up very forced me to try and do it! Your writing style has been surprised me.
    Thanks, very nice article.
    Reloader Activator

    ReplyDelete
  14. MartenJamesJanuary 31, 2022 at 11:36 AM

    This comment has been removed by the author.

    ReplyDelete
  15. Jone MartinJanuary 31, 2022 at 1:47 PM

    I am never read like your blog. It is really informative blog.
    Click here https://samedaygaragedoorservicesga.com/ for Garage Door Repair Services. Our experts provide you reliable service.

    ReplyDelete
  16. MartenJamesFebruary 4, 2022 at 7:24 AM

    Your article provides the complete method of Power Forensics installation.
    From our Bathroom and Kitchen Remodeling Service in Chicago IL you can avail reliable and trusted services.

    ReplyDelete
  17. aeknarinApril 26, 2022 at 1:41 AM

    pgslot รีวิวเกม Wild bandito รีวิวเกมสล็อต Wild Bandito Águila ซึ่งแปลว่า ‘The Eagle’ เป็นทีมโจรเม็กซิกันสามคน ที่ประจำการอยู่ตามแนวชายแดน ของเม็กซิโก พวกเขาปลอมตัว เป็นวงดนตรี จากค่าย เกมสล็อต ค่าย pg

    ReplyDelete
  18. PSW550May 3, 2022 at 4:34 PM

    เกมสล็อต เล่นได้บนมือถือ รูปแบบใหม่ เล่นได้เลยตอนนี้ผ่านเว็บไซต์ PGSLOTGAMES ที่มีให้เล่นมากมาย ทั้งสล็อตออนไลน์ คาสิโนออนไลน์ อาเขต และบิงโก มากกว่า 300 เกม เล่นได้เลยตอนนี้ ผ่านทางเข้า ที่สุดแห่งความพิเศษของ พีจี ทางเข้า PG

    ReplyDelete
  19. slotMay 3, 2022 at 5:19 PM

    มาเป็นส่วนหนึ่งของครอบครัวสล็อตออนไลน์ PGทางเข้า ที่ได้มีกระแสการตอบรับที่ดีที่สุด ด้วยรูปแบบเกมที่สนุก เล่นได้ง่าย ทำกำไรได้มากกว่า สมัครสมาชิก และเล่นเกมกับเราแล้วตอนนี้ ผ่านเว็บไซต์เกมที่ใหม่ที่สุด PGSLOTGAMES เล่นได้ตลอด 24 ชั่วโมง

    ReplyDelete
  20. PhuwadonJuly 17, 2022 at 12:47 AM

    ทางเล่นเข้า pg เกมสล็อตออนไลน์ https://www.pgslot168game.com/login-pgslot/ ฝากได้ไม่มีขั้นต่ำในการฝาก 1 บาท แต่ถ้าเป็นคำแนะนำดีๆ ฝาก 10 บาท ลุ้นอีก 100 บาท จะมีแต่เงื่อนไขการถอนเท่านั้น เพราะเป็นโปรฯ ถอนได้เฉพาะรอบต่อไป แต่ไม่มีปัญหา เพราะทุกเกมของค่าย PG ใช้งานง่าย แถมได้รางวัลง่าย ๆ แค่เล่นสักพักก็รับเงินได้ทันทีแล้ว

    ReplyDelete
  21. mega8989October 10, 2022 at 4:09 AM

    เดิมพันคุ้มค่า คว้ากำไรง่าย จ่ายไม่กั๊กต้อง relax gaming ศูนย์รวมเกมสล็อตออนไลน์จากค่าย ขวัญใจชาวไทยอันดับ 1 แห่งปี 2022

    ReplyDelete
  22. Burgers CookbookMay 4, 2023 at 7:46 PM

    Lovvely post

    ReplyDelete
  23. Alia parkerMay 8, 2023 at 6:24 AM

    Hazard management is a systematic process of identifying, assessing, and controlling or mitigating hazards that may cause harm or damage to people, property, or the environment. Hazards may include physical hazards, such as slips, trips, and falls, chemical hazards, such as exposure to toxic substances, and biological hazards, such as exposure to infectious agents.

    ReplyDelete

Subscribe to: Post Comments (Atom)

- Invoke-IR - By Jared Atkinson -