Type [PowerForensic.Ntfs.FileRecord] not found

secusoc commented 8 years ago

Hi,

Thanks a lot for your tool! I have a problem in the use of "Get-ForensicFileRecord" (error in PowerForensics.psm1: 963: 21) My config:

Win7 Pro SP1 x64
Powershell 4.0
PowerForensic 2.0 (github release: PowerForensics-master)

> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe

Type [PowerForensic.Ntfs.FileRecord] not found. Make sure that the assembly that contains this type is loaded.
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensic.Ntfs.FileRecord] :: Get ($ Path, $ f ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
+ CategoryInfo: InvalidOperation: (PowerForensic.Ntfs.FileRecord: TypeName) [], RuntimeException
+ FullyQualifiedErrorId: TypeNotFound

> $stacktrace

  at System.Management.Automation.TypeOps.ResolveTypeName(ITypeName typeName)
  at System.Management.Automation.Interpreter.FuncCallInstruction`2.Run(InterpretedFrame frame)
  at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

When i try with -AsBytes, no error but i have just the Bytes Array: > Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe -AsBytes

Thanks in advance for your help Regards

jaredcatkinson commented 8 years ago

Thanks for the detailed issue. Looks like there is a typo in the new function ([PowerForensic.Ntfs.FileRecord] instead of [PowerForensics.Ntfs.FileRecord]). I can make an update this evening. In the meantime you should be find if you just add the "s" to PowerForensic on line 963.

secusoc commented 8 years ago

thanks for the quick answer I update with "s" but now another issue:

> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "The readDrive method experienced an IOException. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: IOException

jaredcatkinson commented 8 years ago

Yea sorry this latest version is still a work in progress (completely changed how everything works). For now you have to use \.\C: rather than C: or C (until I add a normalization function).

jaredcatkinson commented 8 years ago

I suspect that is the issue anyway...

secusoc commented 8 years ago

It's working for C: C:\Windows\system32> Get-ForensicFileRecord -Path \.\C:

FullName             : C:\$MFT
Name                 : $MFT
SequenceNumber       : 1
RecordNumber         : 0
ParentSequenceNumber : 5
...

But not if you put a path's file (I try different combination)

Get-ForensicFileRecord -Path \.\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId: Exception

Regards

jaredcatkinson commented 8 years ago

Yea. Looks like i need to go back through and add the logic to a different set of functions :(

On Fri, Dec 2, 2016 at 1:43 AM, secusoc notifications@github.com wrote:

It's working for C: C:\Windows\system32> Get-ForensicFileRecord -Path .\C:

FullName : C:\$MFT Name : $MFT SequenceNumber : 1 RecordNumber : 0 ParentSequenceNumber : 5 ...

But not if you put a path's file (I try different combination)

Get-ForensicFileRecord -Path .\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. " The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
CategoryInfo: NotSpecified: (:) [], MethodInvocationException

FullyQualifiedErrorId: Exception
Regards

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Invoke-IR/PowerForensics/issues/145#issuecomment-264385581, or mute the thread https://github.com/notifications/unsubscribe-auth/AMqcAhwn1UO8rHjYtTQB3sXOcmexvNM3ks5rD74jgaJpZM4LBZ8G .

secusoc commented 8 years ago

While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?

secusoc commented 7 years ago

Hi Jared, Problems with last update:

Still the same issue for FileRecord (just the line number in psm change): Get-ForensicFileRecord -Path .\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
C:\Users\test\Documents\Windows PowerShell\Modules\PowerForensics-master\Modules\ PowerForensics\PowerForensics.psm1: 930: 21
+ Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord] :: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: Exception

Other commands (which were ok) have now 2 issues: Get-ForensicBootSector -Path \.\PHYSICALDRIVE0 Get-ForensicPartitionTable -Path \.\PHYSICALDRIVE0

Type [PowerForensics.BootSector.MasterBootRecord] not found. Make sure that the assembly that contains this type is loaded.
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:605 : 9
+ $ Mbr = [PowerForensics.BootSector.MasterBootRecord] :: Get ($ Path)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
    + CategoryInfo: InvalidOperation: (PowerForensics .... asterBootRecord: TypeName) [], RuntimeException
    + FullyQualifiedErrorId: TypeNotFound
 
Indexing is not possible in a Null array.
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:607:13
+ If ($ mbr.PartitionTable [0] .SystemId -eq 'EFI_GPT_DISK')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~
    + CategoryInfo: InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId: NullArray

Regards

jaredcatkinson commented 7 years ago

Thanks for staying on top of it. I fixed the typos (let me know if you find any more). The issue with the Path parameter will take me a little longer to fix (I need some time to sit down and think about the best way to fix the issue). When you say "While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?" what exactly are you looking for?

secusoc commented 7 years ago

Thanks for the fix.
What i'm looking for with Get-ForensicFileRecord: a) find difference between $STANDARD_INFO and $FN timestamps to validate stomping. b) find if the DATA are resident or nonreisdent in MFT

jaredcatkinson commented 7 years ago

In the interim you can get this information by parsing the entire MFT with Get-ForensicFileRecord and then using Where-Object to find the record you are interested in.

Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

jaredcatkinson commented 7 years ago

You can also automate the comparison of $SI and $FN timestamps by using Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FNBornTime -gt $_.BornTime}

Based on my experience this will have its fair share of false positives though.

secusoc commented 7 years ago

I have the same issue for the 2:

Get-ForensicFileRecord -VolumeName \.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

Exception when calling "GetInstances" with "1" argument (s): "Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex »
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:920 : 21
+                     Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord]:: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

jaredcatkinson commented 7 years ago

looks like you missed the first \ on \.\C:

secusoc commented 7 years ago

I try with \.\C: => it take times.... and same error (PowerForensics.psm1:920 : 21) (I try with: .\C: => error quickly )

secusoc commented 7 years ago

(The message don't show it but i put the 2 slash before ".")

jaredcatkinson commented 7 years ago

yea nevermind. looks like github is cutting off our \\.\C:. Might be something weird about your MFT that is causing and error that I haven't seen yet.

secusoc commented 7 years ago

You're right because i try with D: and it's working... I will check on it thanks again for your help

jaredcatkinson commented 7 years ago

No problem. Is the drive a test machine or a production machine? If it is a test machine, would you be able to share an exported version of the MFT with me?

secusoc commented 7 years ago

I can't it's a production machine. sorry. Do you think it's not a good idea to compare $STD and $FN timestamps (born time) for stomping. why falses positive when $FN are not easy to change in user land?

jaredcatkinson commented 7 years ago

No worries. I've just seen that there are a lot of built in executable that exhibit that same behavior. That being said, I'd be interested to hear what your tests find.

Invoke-IR / PowerForensics

Type [PowerForensic.Ntfs.FileRecord] not found #145