Type [PowerForensic.Ntfs.FileRecord] not found

[secusoc]

Hi,

Thanks a lot for your tool!
I have a problem in the use of "Get-ForensicFileRecord" (error in PowerForensics.psm1: 963: 21)
My config:

• Win7 Pro SP1 x64
• Powershell 4.0
• PowerForensic 2.0 (github release: PowerForensics-master)

> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe

Type [PowerForensic.Ntfs.FileRecord] not found. Make sure that the assembly that contains this type is loaded.
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensic.Ntfs.FileRecord] :: Get ($ Path, $ f ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
+ CategoryInfo: InvalidOperation: (PowerForensic.Ntfs.FileRecord: TypeName) [], RuntimeException
+ FullyQualifiedErrorId: TypeNotFound

> $stacktrace

 at System.Management.Automation.TypeOps.ResolveTypeName(ITypeName typeName)
 at System.Management.Automation.Interpreter.FuncCallInstruction`2.Run(InterpretedFrame frame)
 at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

When i try with -AsBytes, no error but i have just the Bytes Array:
> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe -AsBytes

				70
				73
				76
				...

Thanks in advance for your help
Regards

[jaredcatkinson]

Thanks for the detailed issue. Looks like there is a typo in the new function ([PowerForensic.Ntfs.FileRecord] instead of [PowerForensics.Ntfs.FileRecord]). I can make an update this evening. In the meantime you should be find if you just add the "s" to PowerForensic on line 963.

[secusoc]

thanks for the quick answer
I update with "s" but now another issue:

> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "The readDrive method experienced an IOException. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: IOException

[jaredcatkinson]

Yea sorry this latest version is still a work in progress (completely changed how everything works). For now you have to use \.\C: rather than C: or C (until I add a normalization function).

[jaredcatkinson]

I suspect that is the issue anyway...

[secusoc]

It's working for C:
C:\Windows\system32> Get-ForensicFileRecord -Path \.\C:

FullName             : C:\$MFT
Name                 : $MFT
SequenceNumber       : 1
RecordNumber         : 0
ParentSequenceNumber : 5
...

But not if you put a path's file (I try different combination)

Get-ForensicFileRecord -Path \.\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId: Exception

Regards

[jaredcatkinson]

Yea. Looks like i need to go back through and add the logic to a different set of functions :(

…

On Fri, Dec 2, 2016 at 1:43 AM, secusoc ***@***.***> wrote: It's working for C: *C:\Windows\system32> Get-ForensicFileRecord -Path \.\C:* FullName : C:\$MFT Name : $MFT SequenceNumber : 1 RecordNumber : 0 ParentSequenceNumber : 5 ... But not if you put a path's file (I try different combination) *Get-ForensicFileRecord -Path \.\C:\Windows\System32\cmd.exe* Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. " The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21 + Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~ + CategoryInfo: NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId: Exception Regards — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#145 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AMqcAhwn1UO8rHjYtTQB3sXOcmexvNM3ks5rD74jgaJpZM4LBZ8G> .

[secusoc]

While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?

[secusoc]

Hi Jared,
Problems with last update:

• Still the same issue for FileRecord (just the line number in psm change):
  Get-ForensicFileRecord -Path .\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
C:\Users\test\Documents\Windows PowerShell\Modules\PowerForensics-master\Modules\ PowerForensics\PowerForensics.psm1: 930: 21
+ Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord] :: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: Exception

• Other commands (which were ok) have now 2 issues:
  Get-ForensicBootSector -Path \.\PHYSICALDRIVE0
  Get-ForensicPartitionTable -Path \.\PHYSICALDRIVE0

Type [PowerForensics.BootSector.MasterBootRecord] not found. Make sure that the assembly that contains this type is loaded.
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:605 : 9
+ $ Mbr = [PowerForensics.BootSector.MasterBootRecord] :: Get ($ Path)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
    + CategoryInfo: InvalidOperation: (PowerForensics .... asterBootRecord: TypeName) [], RuntimeException
    + FullyQualifiedErrorId: TypeNotFound
 
Indexing is not possible in a Null array.
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:607:13
+ If ($ mbr.PartitionTable [0] .SystemId -eq 'EFI_GPT_DISK')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~
    + CategoryInfo: InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId: NullArray

Regards

[jaredcatkinson]

Thanks for staying on top of it. I fixed the typos (let me know if you find any more). The issue with the Path parameter will take me a little longer to fix (I need some time to sit down and think about the best way to fix the issue). When you say "While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?" what exactly are you looking for?

[secusoc]

• Thanks for the fix.
• What i'm looking for with Get-ForensicFileRecord:
  a) find difference between $STANDARD_INFO and $FN timestamps to validate stomping.
  b) find if the DATA are resident or nonreisdent in MFT

[jaredcatkinson]

In the interim you can get this information by parsing the entire MFT with Get-ForensicFileRecord and then using Where-Object to find the record you are interested in.

Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

[jaredcatkinson]

You can also automate the comparison of $SI and $FN timestamps by using Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FNBornTime -gt $_.BornTime}

Based on my experience this will have its fair share of false positives though.

[secusoc]

I have the same issue for the 2:

Get-ForensicFileRecord -VolumeName \.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

Exception when calling "GetInstances" with "1" argument (s): "Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex »
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:920 : 21
+                     Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord]:: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

[jaredcatkinson]

looks like you missed the first \ on \.\C:

[secusoc]

I try with \.\C: => it take times.... and same error (PowerForensics.psm1:920 : 21)
(I try with: .\C: => error quickly )

[secusoc]

(The message don't show it but i put the 2 slash before ".")

[jaredcatkinson]

yea nevermind. looks like github is cutting off our \\.\C:. Might be something weird about your MFT that is causing and error that I haven't seen yet.

[secusoc]

You're right because i try with D: and it's working...
I will check on it
thanks again for your help

[jaredcatkinson]

No problem. Is the drive a test machine or a production machine? If it is a test machine, would you be able to share an exported version of the MFT with me?

[secusoc]

I can't it's a production machine. sorry.
Do you think it's not a good idea to compare $STD and $FN timestamps (born time) for stomping. why falses positive when $FN are not easy to change in user land?

[jaredcatkinson]

No worries. I've just seen that there are a lot of built in executable that exhibit that same behavior. That being said, I'd be interested to hear what your tests find.