Skip to content

Copy Preparation and Search

Jump to bottom
Matthew Green edited this page Apr 9, 2019 · 1 revision

Under the hood, Invoke-LiveResponse leverages a copy preparation function to simplify creating collection content.

A function: Copy-LiveResponse checks for existence of items and builds a hash table of files and folders using Get-ChildItem. This enables generic glob searching on path and filtering using both Get-ChildItem or Powershell's powerful "Where-Object" syntax.

Depending on mode: Windows API via Copy-Item, or a raw copy via Invoke-ForensicCopy, copies files with fallback to the alternate method if failure.

Copy-LiveResponse: configuration options.
Example collection: Evidence of Execution.

Example raw collection: Event Logs.

Its worthy to note: Copy-LiveResponse leverages the Windows API for search. For basic live response of known files this was decided as the best approach as speed is improved greatly. Permissions searching with this technique does not inhibit results as the script runs as SYSTEM and "Get-ChildItem -Force" typically has complete visibility of even protected files. For NTFS special files or raw disk based search, direct use of Invoke-ForensicCopy is required.
For reference, I have included an example below:

Example collection: NTFS special files

Invoke-LiveResponse Wiki home | Code

Invoke-LiveResponse

  1. Installation
  1. ForensicCopy mode
  1. LiveResponse mode
Clone this wiki locally