Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.39k stars 274 forks source link

PowerShell Remoting Usage #143

Open mr-burnse opened 8 years ago

mr-burnse commented 8 years ago

This is a really great project! I'm looking at potentially incorporating some of it's functionality in a project I've been working on. In my case I need to execute these functions on a remote endpoints (via PS Remoting) that will not have the module locally imported. Any thoughts on how I might accomplish this? The PS Remoting session is established with C# & the System.Management.Automation library. Cheers!

mr-burnse commented 8 years ago

I should add that, in my scenario...implicit module importing will not work as the target endpoint cannot be aware of any credentials to connect back to the remote server.

jaredcatkinson commented 8 years ago

Hey Evan,

Thanks for the kind words! I'm glad you are enjoying the project.

I've created a Github project called PowerForensics Portable (https://github.com/Invoke-IR/PowerForensicsPortable), that leverages PowerForensics' public API. One of the cool things about PowerForensics being a .NET assembly is that it is truly a "forensics" library complete with publicly exposed classes and methods.

PowerForensics Portable loads the PowerForensics assembly in memory using the System.Reflection.Assembly class' Load method. The basic idea is that you pass a .NET DLL as a byte array to the Load method and it will load that DLL in memory and expose all public functions. I then wrote a function to replicate each PowerForensics cmdlet's functionality by calling the corresponding public API. For instance, if we want to parse the UsnJrnl, then I can call [PowerForensics.Ntfs.UsnJrnl]::GetInstances('.\C:') which parses the UsnJrnl on the Logical C: volume.

A little known feature (at least something that I just learned about) of Invoke-Command is the ability to run locally defined functions on a remote host. So by importing the PowerForensicsPortable module, you are defining all of the "Portable" functions locally. You can then use Invoke-Command to execute them on a remote system over PowerShell Remoting.

Example: Invoke-Command -ScriptBlock ${function:Get-ForensicUsnJrnlPortable} -ArgumentList '\\.\C:' -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

My colleague Matt Graeber also wrote a proxy function for Invoke-Command that leverages PowerShell's AST to dynamically resolve function dependencies. This helps the syntax become a little more straight forward. The Invoke-Command proxy function is included in PowerForensics Portable, so it is there once the module is loaded locally.

Example: Invoke-Command -ScriptBlock {Get-ForensicUsnJrnlPortable -VolumeName \\.\C:} -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

sahar55 commented 7 years ago

Hi jared, is your PowerForensicsPortable still ongoing project? I see the last update was 10month ago and some of the artifact acquisition is not there, are you planning on adding it? Amazing jobs on those tools, truly very helpful