Just wanted to provide an update on a recent addition to my Github. In my post last week, I discussed the Start-ImageParsing.ps1 script which automates the use of various parsing tools against a forensic image. One of the requirements in the script is that all of Eric Zimmerman’s tools must be in the same directory. I realized this download and extraction might be a pain for people that don’t already have the tools so I put together this script to automate things. It’s also a good way to ensure that you always have the latest versions installed.
Installation and Execution
- Download the script from my Github and extract files: https://github.com/grayfold3d/POSH-Triage
- Unblock the file and set the PowerShell execution policy. This allows us to execute PowerShell scripts but prevents scripts that are either not local to your system or unsigned from running.
- Right-click script, select Properties and then “Unblock file”
- Open PowerShell as administrator and type:
> Set-ExecutionPolicy -executionpolicy RemoteSigned
- By default, files are saved to C:\Forensic Program Files\Zimmerman. If you’d like them to be saved to a different location, you can specify this when executing from the PowerShell console using the -outDir parameter, or the script can be edited to set the location using these steps.
- Right-Click Get-ZimmermanTools.ps1 and select Edit
- Change the area highlighted below to your desired folder and save changes
- Right-Click Get-ZimmermanTools.ps1 and select “Run with PowerShell”
- The script will launch and begin downloading the files
- Alternatively, the script can also be launched from the PowerShell console by navigating to the directory it is saved to and entering
In this example, we use the -outDir parameter to specify an alternative location to save the files.
So that’s it. Hopefully, this will save you some headaches. As always, if you have any feedback or suggestions, leave a comment or send me a message on Twitter.