search

Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.38k stars 273 forks source link

Get-ForensicTimeline Amcache Error on Windows 7 #149

Open 6a7067 opened 7 years ago

6a7067 commented 7 years ago

Hello,

When trying to run Get-ForensicTimeline on a Windows 7 machine I get the error:

Exception calling "GetInstances" with "1" argument(s): "The Amcache hive is only available on Windows 8 and newer Operating Systems."

Is this cmdlet only available on Windows 8 and newer OS's? Is there a way to take the Amcache hive parser out?

jaredcatkinson commented 7 years ago

Thank you for bringing this to my attention. The Amcache Hive is first present on Windows 8 and thus would fail on Windows 7, but the error should not be a terminating error (especially on Windows 7) so you can complete your timeline. If possible, can you file an issue with the project as that will let me better track my progress on fixing this issue.

Thanks, Jared

On Wed, Jul 26, 2017 at 9:25 AM, johnpaulglab notifications@github.com wrote:

Hello,

When trying to run Get-ForensicTimeline on a Windows 7 machine I get the error:

Exception calling "GetInstances" with "1" argument(s): "The Amcache hive is only available on Windows 8 and newer Operating Systems."

Is this cmdlet only available on Windows 8 and newer OS's? Is there a way to take the Amcache hive parser out?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Invoke-IR/PowerForensics/issues/149, or mute the thread https://github.com/notifications/unsubscribe-auth/AMqcAkvsVmk9sk_LXNkL4JYabb693bTwks5sR2iFgaJpZM4OkKuS .