Type [PowerForensic.Ntfs.FileRecord] not found about powerforensics HOT 21 OPEN

Thanks for the detailed issue. Looks like there is a typo in the new function ([PowerForensic.Ntfs.FileRecord] instead of [PowerForensics.Ntfs.FileRecord]). I can make an update this evening. In the meantime you should be find if you just add the "s" to PowerForensic on line 963.

from powerforensics.

thanks for the quick answer
I update with "s" but now another issue:

> Get-ForensicFileRecord -Path C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "The readDrive method experienced an IOException. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: IOException

from powerforensics.

Yea sorry this latest version is still a work in progress (completely changed how everything works). For now you have to use \.\C: rather than C: or C (until I add a normalization function).

from powerforensics.

I suspect that is the issue anyway...

from powerforensics.

It's working for C:
C:\Windows\system32> Get-ForensicFileRecord -Path \.\C:

FullName             : C:\$MFT
Name                 : $MFT
SequenceNumber       : 1
RecordNumber         : 0
ParentSequenceNumber : 5
...

But not if you put a path's file (I try different combination)

Get-ForensicFileRecord -Path \.\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1: 963: 21
+ Write-Output ([PowerForensics.Ntfs.FileRecord] :: Get ($ Path, $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId: Exception

Regards

from powerforensics.

from powerforensics.

While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?

from powerforensics.

Hi Jared,
Problems with last update:

• Still the same issue for FileRecord (just the line number in psm change):
  Get-ForensicFileRecord -Path .\C:\Windows\System32\cmd.exe

Exception when calling "Get" with "2" argument (s): "Invalid VolumeBootRecord Footer. "
C:\Users\test\Documents\Windows PowerShell\Modules\PowerForensics-master\Modules\ PowerForensics\PowerForensics.psm1: 930: 21
+ Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord] :: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~
     + CategoryInfo: NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId: Exception

• Other commands (which were ok) have now 2 issues:
  Get-ForensicBootSector -Path \.\PHYSICALDRIVE0
  Get-ForensicPartitionTable -Path \.\PHYSICALDRIVE0

Type [PowerForensics.BootSector.MasterBootRecord] not found. Make sure that the assembly that contains this type is loaded.
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:605 : 9
+ $ Mbr = [PowerForensics.BootSector.MasterBootRecord] :: Get ($ Path)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
    + CategoryInfo: InvalidOperation: (PowerForensics .... asterBootRecord: TypeName) [], RuntimeException
    + FullyQualifiedErrorId: TypeNotFound
 
Indexing is not possible in a Null array.
The character C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:607:13
+ If ($ mbr.PartitionTable [0] .SystemId -eq 'EFI_GPT_DISK')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~
    + CategoryInfo: InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId: NullArray

Regards

from powerforensics.

Thanks for staying on top of it. I fixed the typos (let me know if you find any more). The issue with the Path parameter will take me a little longer to fix (I need some time to sit down and think about the best way to fix the issue). When you say "While waiting for the fix, what queries do you use to recover the timestamps $FN as a replacement?" what exactly are you looking for?

from powerforensics.

• Thanks for the fix.
• What i'm looking for with Get-ForensicFileRecord:
  a) find difference between $STANDARD_INFO and $FN timestamps to validate stomping.
  b) find if the DATA are resident or nonreisdent in MFT

from powerforensics.

In the interim you can get this information by parsing the entire MFT with Get-ForensicFileRecord and then using Where-Object to find the record you are interested in.

Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

from powerforensics.

You can also automate the comparison of $SI and $FN timestamps by using Get-ForensicFileRecord -VolumeName \\.\C: | Where-Object {$_.FNBornTime -gt $_.BornTime}

Based on my experience this will have its fair share of false positives though.

from powerforensics.

I have the same issue for the 2:

Get-ForensicFileRecord -VolumeName \.\C: | Where-Object {$_.FullName -eq 'C:\Windows\System32\cmd.exe'}

Exception when calling "GetInstances" with "1" argument (s): "Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: startIndex »
C:\Users\test\Documents\WindowsPowerShell\Modules\PowerForensics-master\Modules\PowerForensics\PowerForensics.psm1:920 : 21
+                     Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord]:: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

from powerforensics.

looks like you missed the first \ on \.\C:

from powerforensics.

I try with \.\C: => it take times.... and same error (PowerForensics.psm1:920 : 21)
(I try with: .\C: => error quickly )

from powerforensics.

(The message don't show it but i put the 2 slash before ".")

from powerforensics.

yea nevermind. looks like github is cutting off our \\.\C:. Might be something weird about your MFT that is causing and error that I haven't seen yet.

from powerforensics.

You're right because i try with D: and it's working...
I will check on it
thanks again for your help

from powerforensics.

No problem. Is the drive a test machine or a production machine? If it is a test machine, would you be able to share an exported version of the MFT with me?

from powerforensics.

I can't it's a production machine. sorry.
Do you think it's not a good idea to compare $STD and $FN timestamps (born time) for stomping. why falses positive when $FN are not easy to change in user land?

from powerforensics.

No worries. I've just seen that there are a lot of built in executable that exhibit that same behavior. That being said, I'd be interested to hear what your tests find.

from powerforensics.