Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.39k stars 274 forks source link

`Get-ForensicFileRecord` broken by Windows 11? #168

Open gabriellandau opened 2 years ago

gabriellandau commented 2 years ago

Hello. Get-ForensicFileRecord seems to fail on many paths under C:\Windows on Windows 11. So far in my testing, it works on files elsewhere (such as in C:\Program Files), and on the C:\Windows directory itself.

Those same commands succeed on Windows 10 (scroll down). Do you know what might be wrong? I'd be happy to provide more information to help debug this.

PS C:\Windows\System32> cmd /c ver

Microsoft Windows [Version 10.0.22000.918]
PS C:\Windows\System32> Get-Item C:\Windows

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          9/4/2022   5:36 PM                Windows

PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows"

FullName             : C:\\Windows
Name                 : Windows
SequenceNumber       : 1
RecordNumber         : 1492
ParentSequenceNumber : 5
ParentRecordNumber   : 5
Directory            : True
Deleted              : False
ModifiedTime         : 9/4/2022 9:36:44 PM
AccessedTime         : 9/12/2022 10:19:42 PM
ChangedTime          : 9/4/2022 9:36:44 PM
BornTime             : 6/5/2021 12:01:25 PM
FNModifiedTime       : 6/30/2021 9:47:02 PM
FNAccessedTime       : 6/30/2021 9:47:02 PM
FNChangedTime        : 6/30/2021 9:47:02 PM
FNBornTime           : 6/30/2021 9:47:02 PM

PS C:\Windows\System32> Get-Item C:\Windows\System32

    Directory: C:\Windows

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         9/12/2022   3:18 PM                System32

PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows\System32"
Get-ForensicFileRecord : Path C:\Windows\System32 not found.
At line:1 char:1
+ Get-ForensicFileRecord -path "C:\Windows\System32"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ForensicFileRecord], Exception
    + FullyQualifiedErrorId : System.Exception,PowerForensics.Cmdlets.GetFileRecordCommand

PS C:\Windows\System32> Get-Item C:\Windows\System32\kernel32.dll

    Directory: C:\Windows\System32

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/4/2022   5:27 PM         786520 kernel32.dll

PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"
Get-ForensicFileRecord : Path C:\Windows\System32\kernel32.dll not found.
At line:1 char:1
+ Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ForensicFileRecord], Exception
    + FullyQualifiedErrorId : System.Exception,PowerForensics.Cmdlets.GetFileRecordCommand

Here are those same commands on Windows 10:

PS C:\WINDOWS\system32> cmd /c ver

Microsoft Windows [Version 10.0.19043.1889]
PS C:\WINDOWS\system32> Get-Item C:\Windows

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         8/26/2022   1:01 PM                Windows

PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows"

FullName             : C:\\Windows
Name                 : Windows
SequenceNumber       : 2
RecordNumber         : 308097
ParentSequenceNumber : 5
ParentRecordNumber   : 5
Directory            : True
Deleted              : False
ModifiedTime         : 8/26/2022 8:01:04 PM
AccessedTime         : 9/12/2022 10:21:47 PM
ChangedTime          : 8/26/2022 8:01:04 PM
BornTime             : 12/7/2019 9:03:44 AM
FNModifiedTime       : 3/16/2021 11:20:55 PM
FNAccessedTime       : 3/17/2021 1:11:58 PM
FNChangedTime        : 3/16/2021 11:20:55 PM
FNBornTime           : 12/7/2019 9:03:44 AM

PS C:\WINDOWS\system32> Get-Item C:\Windows\System32

    Directory: C:\Windows

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         9/12/2022   3:19 PM                System32

PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows\System32"

FullName             : C:\\Windows\System32
Name                 : System32
SequenceNumber       : 2
RecordNumber         : 309833
ParentSequenceNumber : 2
ParentRecordNumber   : 308097
Directory            : True
Deleted              : False
ModifiedTime         : 9/12/2022 10:19:50 PM
AccessedTime         : 9/12/2022 10:21:47 PM
ChangedTime          : 9/12/2022 10:19:50 PM
BornTime             : 12/7/2019 9:03:44 AM
FNModifiedTime       : 3/16/2021 10:56:02 PM
FNAccessedTime       : 3/16/2021 10:56:02 PM
FNChangedTime        : 3/16/2021 10:56:02 PM
FNBornTime           : 3/16/2021 10:56:02 PM

PS C:\WINDOWS\system32> Get-Item C:\Windows\System32\kernel32.dll

    Directory: C:\Windows\System32

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/18/2022   9:20 AM         766000 kernel32.dll

PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"

FullName             : C:\\Windows\WinSxS\amd64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1889_none_0844957b0bac060e\kernel32.dll
Name                 : kernel32.dll
SequenceNumber       : 1
RecordNumber         : 651723
ParentSequenceNumber : 1
ParentRecordNumber   : 651865
Directory            : False
Deleted              : False
ModifiedTime         : 8/18/2022 4:20:53 PM
AccessedTime         : 9/12/2022 10:21:19 PM
ChangedTime          : 8/26/2022 8:01:16 PM
BornTime             : 8/18/2022 4:20:53 PM
FNModifiedTime       : 8/18/2022 4:20:53 PM
FNAccessedTime       : 8/18/2022 4:20:53 PM
FNChangedTime        : 8/18/2022 4:20:53 PM
FNBornTime           : 8/18/2022 4:20:53 PM