Get-ForensicFileRecord throwing error

[colindix]

Hi,

I noticed today that the get-forensicfilerecord cmdlet is throwing an error when attempting to parse the an MFT. I haven't seen this before, but unfortunately I wasn't able to test on another machine. I know it has worked for me previously but unsure if on this machine.
FYI the MFT isn't particularly large (304954 entries according to analyzeMFT.py).

PS C:\WINDOWS\system32> Get-ForensicFileRecord
Get-ForensicFileRecord : Non-negative number required.
Parameter name: count
At line:1 char:1

• Get-ForensicFileRecord

•   + CategoryInfo          : NotSpecified: (:) [Get-ForensicFileRecord], ArgumentOutOfRangeException
    + FullyQualifiedErrorId : System.ArgumentOutOfRangeException,PowerForensics.Cmdlets.GetFileRecordCommand
  
  

PS C:\WINDOWS\system32> $stacktrace
at System.Text.UnicodeEncoding.GetString(Byte[] bytes, Int32 index, Int32 count)
at PowerForensics.Ntfs.VolumeName..ctor(ResidentHeader header, Byte[] bytes, Int32 offset, String attrName)
at PowerForensics.Ntfs.FileRecordAttribute.Get(Byte[] bytes, Int32 offset, String volume)
at PowerForensics.Ntfs.FileRecordAttribute.GetInstances(Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, String volume)
at PowerForensics.Ntfs.FileRecord..ctor(FileRecord[]& recordArray, Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, String volume,
Boolean fast)
at PowerForensics.Ntfs.FileRecord..ctor(FileRecord[]& recordArray, Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, String volume,
Boolean fast)
at PowerForensics.Ntfs.FileRecord.GetInstances(Byte[] bytes, String volume, Boolean fast)
at PowerForensics.Ntfs.FileRecord.GetInstances(String volume, Boolean fast)
at PowerForensics.Ntfs.FileRecord.GetInstances(String volume)
at PowerForensics.Cmdlets.GetFileRecordCommand.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()

[jaredcatkinson]

Thanks for the Stack Trace. Looks like you are using one of the older versions of PowerForensics. Can you try downloading the newest version (https://github.com/Invoke-IR/PowerForensics/tree/master/Modules/PowerForensics)?

[jaredcatkinson]

If the issue persists with the newer version, is it possible for you to share the MFT with me (Exported via some other tool)? That'd help me figure out where the specific issue is occurring. If not I completely understand.

[colindix]

Hi Jared, - Unfortunately, no dice. Slightly different error, but I presume that's to do with the newer version of PF.

PS C:\WINDOWS\system32> Get-ForensicFileRecord
Exception calling "GetInstances" with "1" argument(s): "Non-negative number required.
Parameter name: count"
At C:\Users\xxxxxx\Documents\WindowsPowerShell\Modules\PowerForensics\PowerForensics.psm1:958 char:21

•                 Write-Output ([PowerForensics.FileSystems.Ntfs.FileRecord]:: ...
  

•   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException
  
  

PS C:\WINDOWS\system32> $stacktrace
at System.Text.UnicodeEncoding.GetString(Byte[] bytes, Int32 index, Int32 count)
at PowerForensics.FileSystems.Ntfs.VolumeName..ctor(ResidentHeader header, Byte[] bytes, Int32 offset, String attrName)
at PowerForensics.FileSystems.Ntfs.FileRecordAttribute.Get(Byte[] bytes, Int32 offset, String volume)
at PowerForensics.FileSystems.Ntfs.FileRecordAttribute.GetInstances(Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, String volume)
at PowerForensics.FileSystems.Ntfs.FileRecord..ctor(FileRecord[]& recordArray, Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, Str
ing volume, Boolean fast)
at PowerForensics.FileSystems.Ntfs.FileRecord..ctor(FileRecord[]& recordArray, Byte[] bytes, Int32 offset, Int32 bytesPerFileRecord, Str
ing volume, Boolean fast)
at PowerForensics.FileSystems.Ntfs.FileRecord.GetInstances(Byte[] bytes, String volume, Boolean fast)
at CallSite.Target(Closure , CallSite , RuntimeType , String )
PS C:\WINDOWS\system32>

Would like to pass you the MFT but as it is from a work machine I'm afraid I'm not going to be able to. Happy to perform any diagnostics you would like though, or provide you the parsed output of analyzeMFT, Triforce etc if that will help.

[jaredcatkinson]

Ok give me a day or so to put together a verbose version for you to test with. That way it will tell us exactly what record the issue is occurring on and we can work on it from there.

[colindix]

Sorry I forgot to mention i managed to try on another machine in the fleet and it ran fine (and I had not previously experienced these errors), so please don't do any extra work on my account as it seems to be related to that one machine. Having said that, still happy to help you debug if you want to get to the bottom of it though.