Live response is the future - interview with Jared Atkinson creator of PowerForensics.

Dear readers,

today we have another great interview to share with you. We spoke with Jared Atkinson creator of PowerForensics. He told us everything about his tool: from technical to management side.  Enjoy reading!

[PenTest Magazine] Jared can you please tell us something about yourself?

jared[Jared Atkinson] I am the Hunt Capability Lead for a US based consulting company called Veris Group. Before Veris Group, I spent five years in the US Air Force where I led the build out of their Hunt Team. I'm a huge PowerShell fanboy and have used my love for PowerShell and Security to develop a number of open source projects, such as PowerForensics and Uproot IDS.



[PM] For more than one year, you were lecturer in college and you taught cyber security. How do you recall this time?

[JA] I am a big proponent of learning, so I really enjoyed it! At Utica College, I was able to meet and work with people from all spectrums of the cyber security field. Some students had great security backgrounds and I was able to learn a lot from them, while other students were just entering the field or transitioning careers.

[PM] This year on 44CON London you had a presentation about Forensics with PowerShell. It was called “Old Dog, New tricks”. Where did this idea come from?

[JA] During an Incident Response, or Hunt engagement, I often come across scenarios where more detailed "digital forensic" data is necessary. I realized that PowerShell provides the perfect platform for modern forensics, by which I mean analysis of hard disk drive artifacts in a relatively rapid fashion.

[PM] What do you think is the most challenging thing for companies nowadays?

[JA] This may sound cliché, but the most challenging problem companies face is securing people. We have seen organizations do a relatively good job at stopping the server side attacks that were common in the early part of the 2000s, but no organization has a real good solution for detecting and mitigating client side attacks, like phishing. This is why we have seen organizations begin to adopt an assume breach/assume compromise mentality where they run their security program as if they are constantly hacked.

[PM] You created your own tool, PowerForensics. Can you tell our readers about it?

[JA] PowerForensics is a PowerShell module that serves as a forensically sound digital forensics platform. It works by reading data directly from the hard drive and interpreting that data into formal data structures, such as file systems. The cool thing about PowerForensics is that it does not rely on the Operating System (OS) for any of the data processing/parsing. Independence from the OS is extremely important in live response scenarios where an attacker can manipulate the OS to hide evidence. You can download the latest version of PowerForensics from the PowerShell Gallery or from Github.

The goal of PowerForensics is to allow users with relatively little forensic knowledge to gather and analyze forensic artifacts that otherwise would not be available. For example, the Master File Table (MFT) is a metadata structure that stores information about every file and directory on an NTFS formatted partition. The MFT itself is stored as a file that is protected by the OS. With one simple command, shown below, PowerForensics reads the protected file and parses the metadata structures into human readable PowerShell objects.


[PM] Do do you think live response is going to play a big role in the industry? Share your thoughts please.

[JA]Live response is the future. Traditional digital forensics practices, hard drive imaging, is simply not flexible enough to support defensive actions at scale. Many organizations have in excess of 100 thousand hosts on their network, so system triage must be completed quickly. That being said, traditional forensics will likely never go away completely because of its importance to law enforcement investigations and cases.

[PM] Your tool helps with attack response. What do you think about the IR market( tools, solutions, etc.?

[JA]While tools/solutions are an important piece of a security program, I am a huge proponent of investing in people! Too many organizations think that throwing money at a problem will make it go away. For me, a tool is just a means to an end, but you must have a human being on the other end of the tool doing the analytical work. One of the design concepts that I have really pushed with PowerForensics is that it tries to teach users about the different artifacts and how they can be used together to develop a full picture.

[PM] Have you faced any difficulties with creating PowerForensics?

[JA] I have been fortunate with the development of PowerForensics. The PowerShell community has been an excellent resource. Lee Holmes, from the PowerShell team at Microsoft, helped me with some code efficiency issues I was having and has also contributed his own feature called BinShred to the module. June Blender from SAPIEN Technology helped me write professional cmdlet help which is awesome for users! Overall, I have been really happy with the reception and the contributions from the community.

[PM] What is the future of the application?

[JA] PowerForensics has a pretty exciting future! I'm planning on expanding support for more file systems. Currently, PowerForensics only supports the New Technology File System (NTFS), but with the use of tools, like F-Response, it can easily be leveraged to deal with common Linux or OSX file systems, like ext3/4 or HFS+.

[PM] Have you got any final thoughts? Is here anything you would like to add?

[JA] I just want to encourage readers to take the time to really dig in to the internals of these artifacts. Even though PowerForensics attempts to abstract many of the complexities of forensic analysis, I personally think it is important to learn how tools work behind the scenes. To help foster "forensic literacy", I've made a number of posters that illustrate the different file formats PowerForensics deals with (they can be found on my github). Lastly, if anyone has any questions about PowerForensics or feature requests please do not hesitate to reach out to me via Twitter or github! Thanks to PenTest Magazine for taking the time to chat with me about my tool!

twitter: Jared Atkinson
github: PowerForensics

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013