+ Reflectively loads Powerforensics onto target machine to enable raw disk access.
+ Leverages a scriptblock for each configured function of the script.
+ Common forensic artifacts and custom file collections.
+ WinPMem for memory support
+ Depending on the selected switches, each selected capability is joined at run time to build the scriptblock pushed out to the target machine.
+ Inspired by the Kansa Framework, LiveResponse mode will execute any Powershell scripts placed inside a content folder.
+ Results consist of the standard out from the executed content, redirected from the collection machine to a local Results folder as ScriptName.txt.
+ The benefit of this method is the ability to operationalise new capability easily by dropping in new content with desired StdOut.
+ Get-Powerforensics.ps1 – Installs Powerforensics to user profile
+ Get-Forensicating.ps1 – Installs Invoke-LiveResponse and Powerforensics to user profile.
+ Invoke-ForensicCopy.ps1 – Powershell function to leverage Powerforensics API for raw copy with best performance.
+ Content – Contains some nice content from around the place, mainly from Kansa and SpectreOps ACE project. Ill add more as I remember / find new things.
– MaxMemoryPerShellMB settings will need to change on Powershell 2.0 targets for LiveResponse content, up from 150MB.
– Please set to 0 (off) or 1024 in Powershell 2.0, Powershell 3.0 and above should be appropriately configured for WinRM use.
– Invoke-MaxMemory is a quick and dirty module to set MaxMemoryPerShell to 0, use -Legacy for Windows 7 machines.
– Add additional artifacts into ForensicCopyMode
– Expand scope to enable at scale enterprise wide detection/hunting through Powershell Start-Job capabilities.
– Improve ancillary tools: Invoke-StartWinRM/Invoke-StopWinRM, Invoke-MaxMemory. Improve -Legacy options
+ Powershell v3.0 or Higher
Use and Download:
git clone https://github.com/mgreen27/Powershell-IR && cd Powershell-IR