Open mr-burnse opened 8 years ago
I should add that, in my scenario...implicit module importing will not work as the target endpoint cannot be aware of any credentials to connect back to the remote server.
Hey Evan,
Thanks for the kind words! I'm glad you are enjoying the project.
I've created a Github project called PowerForensics Portable (https://github.com/Invoke-IR/PowerForensicsPortable), that leverages PowerForensics' public API. One of the cool things about PowerForensics being a .NET assembly is that it is truly a "forensics" library complete with publicly exposed classes and methods.
PowerForensics Portable loads the PowerForensics assembly in memory using the System.Reflection.Assembly class' Load method. The basic idea is that you pass a .NET DLL as a byte array to the Load method and it will load that DLL in memory and expose all public functions. I then wrote a function to replicate each PowerForensics cmdlet's functionality by calling the corresponding public API. For instance, if we want to parse the UsnJrnl, then I can call [PowerForensics.Ntfs.UsnJrnl]::GetInstances('.\C:') which parses the UsnJrnl on the Logical C: volume.
A little known feature (at least something that I just learned about) of Invoke-Command is the ability to run locally defined functions on a remote host. So by importing the PowerForensicsPortable module, you are defining all of the "Portable" functions locally. You can then use Invoke-Command to execute them on a remote system over PowerShell Remoting.
Example:
Invoke-Command -ScriptBlock ${function:Get-ForensicUsnJrnlPortable} -ArgumentList '\\.\C:' -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared
My colleague Matt Graeber also wrote a proxy function for Invoke-Command that leverages PowerShell's AST to dynamically resolve function dependencies. This helps the syntax become a little more straight forward. The Invoke-Command proxy function is included in PowerForensics Portable, so it is there once the module is loaded locally.
Example:
Invoke-Command -ScriptBlock {Get-ForensicUsnJrnlPortable -VolumeName \\.\C:} -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared
Hi jared, is your PowerForensicsPortable still ongoing project? I see the last update was 10month ago and some of the artifact acquisition is not there, are you planning on adding it? Amazing jobs on those tools, truly very helpful
This is a really great project! I'm looking at potentially incorporating some of it's functionality in a project I've been working on. In my case I need to execute these functions on a remote endpoints (via PS Remoting) that will not have the module locally imported. Any thoughts on how I might accomplish this? The PS Remoting session is established with C# & the System.Management.Automation library. Cheers!