There are two main phases of digital forensics: acquisition and analysis.
I spent several years in digital forensics needing to collect physical disks and/or attend scenes which required me to follow https://athenaforensics.co.uk/acpo-guidelines-for-computer-forensics/. I was at the very tail end of this industry practice (within the private sector) and since then, it has become industry standard to collect a set of artefacts from a system whilst it is running i.e. live instead of the entire disk. Additionally, the likelihood of an digital forensic investigation ever reaching a court of law became extremely unlikely. This is for one primary reason - time. In any forensic investigation, time is greatest enemy. The sooner you can prove or disprove a theory, the quicker the case can be solved. The more cases solved, the more efficient and effective a team can be. Accelerating the acquisition means time can be spent to better effect on analysis.
Collecting individual files can be broken into two parts: access to the target host and copying files. In the good old days, access the system would involve heading up 26 flights of stairs or travelling across town to find the right department and desk before plugging a USB device in and traversing the filesystem for the necessary artefacts. But why leave your desk if you can use a script to the (literal) leg work for you?
We all know the majority of endpoint devices (laptops and desktops) run on Windows thus it would make sense to use a native scripting language to Windows for this objective - and we can: :powershell: PowerShell. Note this applies to the target host, not necessarily the acquisition host.
To surmise, we have two phases of forensic work - acquisition and analysis; we are focusing on acquisition. We have two sub-steps involved in acquisition - access to target and copying files; and we have a tool to help facilitate these two sub-steps: :powershell: PowerShell.
To get familiar with remote artefact acquisition, it is best to configure a small ‘lab’ with two Windows hosts - one being your acquisition host, the other being your target. When collecting artefacts in production, this document explains the preferred methods of remote administration using Powershell:
<aside> 🚨
Additional configuration may be required depending on your production environment. These configurations may include:
On your acquisition host, fire up your code editor of your choice - I would recommend :vscode: Visual Studio Code although you can just use https://learn.microsoft.com/en-us/powershell/scripting/windows-powershell/ise/introducing-the-windows-powershell-ise?view=powershell-7.4.
<aside> 📢
An important distinction of PowerShell compared to other programming and scripting languages, chunks of reusable code are called methods or functions, in PowerShell they are called cmdlets. All cmdlets return an object. As each cmdlet returns an object, each object has a set or properties.
</aside>
It is also worth being aware of how cmdlets are structured. They all follow a Verb-Noun structure, for example Get-Process - Get retrieves information and Process is the object being retrieved. Similarly, for New-Item - New creates something, which can either be a file, directory, registry key or symbolic link which is denoted by Item.
To connect to another host using PowerShell, we can use the cmdlet New-PSSession.