Explore advanced digital forensics techniques using PowerShell in this comprehensive conference talk presented by Jared Atkinson at the 44CON Information Security Conference. Delve into the world of live box forensics and containment as Atkinson introduces PowerForensics, an all-in-one toolset designed for attack response and investigation. Learn how to leverage PowerShell's access to the Windows API and .NET framework to conduct forensically sound "live" investigations without imaging hard drives. Discover the project's background, capabilities, and its potential to revolutionize the Digital Forensics/Incident Response community's approach to tackling live threats. Gain insights into investigating advanced actors at scale and witness a complex demonstration showcasing PowerForensics' effectiveness in real-world attack scenarios. Understand the shifting landscape of cybersecurity threats and equip yourself with the knowledge to utilize PowerShell for defensive purposes, challenging the notion that it's solely a tool for red teams.
Overview
Syllabus
Introduction
Jareds background
Jareds certifications
What is PowerShell
Hunting Philosophy
Requirements
What is forensics
Typical forensics toolbox
How PowerShell works
Speed
Modules
Download
Unblock Files
Module Path
Power Forensics
Invoke DD
Boot Sectors
Boot Record
Get MBR
Boot Kits
Set Master Boot Record
Boot Code
GPT
UEFI
Get GPT
Get Boot Sector
GPT Partitions
Overview
System Files
Volume Boot
Volume Boot Record
Master File Table
Get File
Individual File Records
Temporal Funding Funnel
Master File Attributes
Standard Information Attributes
File Name Attributes
Data Attributes
NonResident Attributes
Data Runs
Alternate Data Stream
Get Alternate Data Stream
Stream Name
Taught by
44CON Information Security Conference
