PoSh-R2 PowerShell: investigators and forensic analysts tool
PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:
– Autorun entries
– Disk info
– Environment variables
– Event logs (50 lastest)
– Installed Software
– Logon sessions
– List of drivers
– List of mapped network drives
– List of running processes
– Logged in user
– Local groups
– Local user accounts
– Network configuration
– Network connections
– Scheduled tasks with AT command
– System Information
git clone https://github.com/WiredPulse/PoSh-R2.git
- Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
- Data will be saved to a new directory called “PoSH_R2–Results” within the same directory from which this script was executed from.
- This script will work with PowerShell version 2 and above