Last active
August 28, 2023 22:10
-
-
Save Chirishman/66874e368e805498c50e28883c60bb23 to your computer and use it in GitHub Desktop.
Use PowerForensics to get a list of all files and their sizes from a local NTFS volume's Master File Table
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install-module powerforensics | |
| # import-module powerforensics | |
| function Get-LocalDiskReport { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory)] | |
| [string] | |
| [ValidateSet('\\.\A:','\\.\B:','\\.\C:','\\.\D:','\\.\E:','\\.\F:','\\.\G:','\\.\H:','\\.\I:','\\.\J:','\\.\K:','\\.\L:','\\.\M:','\\.\N:','\\.\O:','\\.\P:','\\.\Q:','\\.\R:','\\.\S:','\\.\T:','\\.\U:','\\.\V:','\\.\W:','\\.\X:','\\.\Y:','\\.\Z:')] | |
| $VolumeName, | |
| [Parameter()] | |
| [uri]$OutputFolder = 'C:\Temp\' | |
| ) | |
| $SelectForensicFileRecords = @{ | |
| Property = @( | |
| 'Name', | |
| @{n='Extension';e={".$(($_.Name -split '\.')[-1])"}}, | |
| 'Permission', | |
| @{n='ModifiedTime';e={$_.FNModifiedTime}}, | |
| @{n='AccessedTime';e={$_.FNAccessedTime}}, | |
| @{n='ChangedTime';e={$_.FNChangedTime}}, | |
| @{n='BornTime';e={$_.FNBornTime}}, | |
| @{n='RealSize';e={$_.Attribute[1].RealSize}}, | |
| @{n='AllocatedSize';e={$_.Attribute[1].AllocatedSize}}, | |
| 'FullName' | |
| ) | |
| } | |
| $OutputPath = Join-Path -Path $OutputFolder.LocalPath -ChildPath (-join($env:COMPUTERNAME,'_',[regex]::Matches($VolumeName,'\w').Value,'.csv')) | |
| Get-ForensicFileRecord -VolumeName $VolumeName | ?{(-not $_.Deleted) -and (-not $_.Directory) -and $_.FullName -match 'ai upscale'} | Select-Object @SelectForensicFileRecords | Export-Csv -Path $OutputPath -NoTypeInformation | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment