Notes
Notes - notes.io |
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Userssalim> Rapor dosyası oluştur
Rapor : The term 'Rapor' is not recognized as the name of a cmdlet, function, script file, or operable program. Check t
he spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ Rapor dosyası oluştur
+ ~~~~~
+ CategoryInfo : ObjectNotFound: (Rapor:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim> $rapor = "C:FORENSIC_RAPOR_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
PS C:Userssalim> $son24saat = (Get-Date).AddHours(-24)
PS C:Userssalim>
PS C:Userssalim> "=" * 80 | Out-File $rapor
PS C:Userssalim> "ADLI BİLİŞİM RAPORU - $(Get-Date)" | Out-File $rapor -Append
PS C:Userssalim> "BİLGİSAYAR: $env:COMPUTERNAME | KULLANICI: $env:USERNAME" | Out-File $rapor -Append
PS C:Userssalim> "=" * 80 | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 1. SON 24 SAATTE ÇALIŞTIRILAN PROGRAMLAR (Prefetch)
PS C:Userssalim> "`n>>> ÇALIŞTIRILAN PROGRAMLAR (Prefetch) <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ChildItem C:WindowsPrefetch -ErrorAction SilentlyContinue |
>> Where-Object { $_.LastWriteTime -gt $son24saat } |
>> Sort-Object LastWriteTime -Descending |
>> Format-Table Name, LastWriteTime -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 2. SON ERİŞİLEN DOSYALAR (Recent)
PS C:Userssalim> "`n>>> SON ERİŞİLEN DOSYALAR <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ChildItem "$env:APPDATAMicrosoftWindowsRecent" -ErrorAction SilentlyContinue |
>> Where-Object { $_.LastWriteTime -gt $son24saat } |
>> Sort-Object LastWriteTime -Descending |
>> Format-Table Name, LastWriteTime -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 3. SİLİNEN DOSYALAR (Geri Dönüşüm Kutusu)
PS C:Userssalim> "`n>>> GERİ DÖNÜŞÜM KUTUSU <<<" | Out-File $rapor -Append
PS C:Userssalim> (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() |
>> Select-Object Name, Size, @{N='SilinmeTarihi';E={$_.ExtendedProperty('System.Recycle.DateDeleted')}} |
>> Sort-Object SilinmeTarihi -Descending |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 4. USB CİHAZ GEÇMİŞİ (veri kopyalamış mı?)
PS C:Userssalim> "`n>>> USB CİHAZ GEÇMİŞİ <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ItemProperty "HKLM:SYSTEMCurrentControlSetEnumUSBSTOR**" -ErrorAction SilentlyContinue |
>> Select-Object FriendlyName, PSChildName |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 5. WINDOWS OLAY GÜNLÜĞÜ - Oturum açma/kapama
PS C:Userssalim> "`n>>> OTURUM AÇMA/KAPAMA <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634,4647; StartTime=$son24saat} -ErrorAction
Get-WinEvent : Missing an argument for parameter 'ErrorAction'. Specify a parameter of type 'System.Management.Automati
on.ActionPreference' and try again.
At line:1 char:94
+ ... ame='Security'; Id=4624,4634,4647; StartTime=$son24saat} -ErrorAction
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WinEvent], ParameterBindingException
+ FullyQualifiedErrorId : MissingArgument,Microsoft.PowerShell.Commands.GetWinEventCommand
PS C:Userssalim> SilentlyContinue |
>> Select-Object TimeCreated, Id,
>> @{N='Olay';E={switch($_.Id){4624{'Giriş'}4634{'Çıkış'}4647{'Çıkış'}}}} |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
SilentlyContinue : The term 'SilentlyContinue' is not recognized as the name of a cmdlet, function, script file, or ope
rable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
.
At line:1 char:1
+ SilentlyContinue |
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SilentlyContinue:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim>
PS C:Userssalim> # 6. POWERSHELL KOMUT GEÇMİŞİ (ne komutlar çalıştırdı?)
PS C:Userssalim> "`n>>> POWERSHELL KOMUT GEÇMİŞİ <<<" | Out-File $rapor -Append
PS C:Userssalim> $psHistoryPaths = Get-ChildItem
PS C:Userssalim> "C:Users*AppDataRoamingMicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt" -ErrorAction
At line:1 char:85
+ ... osoftWindowsPowerShellPSReadLineConsoleHost_history.txt" -ErrorAction
+ ~~~~~~~~~~~~
Unexpected token '-ErrorAction' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:Userssalim> SilentlyContinue
SilentlyContinue : The term 'SilentlyContinue' is not recognized as the name of a cmdlet, function, script file, or ope
rable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
.
At line:1 char:1
+ SilentlyContinue
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SilentlyContinue:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim> foreach ($h in $psHistoryPaths) {
>> "--- $($h.FullName) ---" | Out-File $rapor -Append
>> Get-Content $h -Tail 200 -ErrorAction SilentlyContinue | Out-File $rapor -Append
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Userssalim> Rapor dosyası oluştur
Rapor : The term 'Rapor' is not recognized as the name of a cmdlet, function, script file, or operable program. Check t
he spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ Rapor dosyası oluştur
+ ~~~~~
+ CategoryInfo : ObjectNotFound: (Rapor:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim> $rapor = "C:FORENSIC_RAPOR_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
PS C:Userssalim> $son24saat = (Get-Date).AddHours(-24)
PS C:Userssalim>
PS C:Userssalim> "=" * 80 | Out-File $rapor
PS C:Userssalim> "ADLI BİLİŞİM RAPORU - $(Get-Date)" | Out-File $rapor -Append
PS C:Userssalim> "BİLGİSAYAR: $env:COMPUTERNAME | KULLANICI: $env:USERNAME" | Out-File $rapor -Append
PS C:Userssalim> "=" * 80 | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 1. SON 24 SAATTE ÇALIŞTIRILAN PROGRAMLAR (Prefetch)
PS C:Userssalim> "`n>>> ÇALIŞTIRILAN PROGRAMLAR (Prefetch) <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ChildItem C:WindowsPrefetch -ErrorAction SilentlyContinue |
>> Where-Object { $_.LastWriteTime -gt $son24saat } |
>> Sort-Object LastWriteTime -Descending |
>> Format-Table Name, LastWriteTime -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 2. SON ERİŞİLEN DOSYALAR (Recent)
PS C:Userssalim> "`n>>> SON ERİŞİLEN DOSYALAR <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ChildItem "$env:APPDATAMicrosoftWindowsRecent" -ErrorAction SilentlyContinue |
>> Where-Object { $_.LastWriteTime -gt $son24saat } |
>> Sort-Object LastWriteTime -Descending |
>> Format-Table Name, LastWriteTime -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 3. SİLİNEN DOSYALAR (Geri Dönüşüm Kutusu)
PS C:Userssalim> "`n>>> GERİ DÖNÜŞÜM KUTUSU <<<" | Out-File $rapor -Append
PS C:Userssalim> (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() |
>> Select-Object Name, Size, @{N='SilinmeTarihi';E={$_.ExtendedProperty('System.Recycle.DateDeleted')}} |
>> Sort-Object SilinmeTarihi -Descending |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 4. USB CİHAZ GEÇMİŞİ (veri kopyalamış mı?)
PS C:Userssalim> "`n>>> USB CİHAZ GEÇMİŞİ <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-ItemProperty "HKLM:SYSTEMCurrentControlSetEnumUSBSTOR**" -ErrorAction SilentlyContinue |
>> Select-Object FriendlyName, PSChildName |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
PS C:Userssalim>
PS C:Userssalim> # 5. WINDOWS OLAY GÜNLÜĞÜ - Oturum açma/kapama
PS C:Userssalim> "`n>>> OTURUM AÇMA/KAPAMA <<<" | Out-File $rapor -Append
PS C:Userssalim> Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634,4647; StartTime=$son24saat} -ErrorAction
Get-WinEvent : Missing an argument for parameter 'ErrorAction'. Specify a parameter of type 'System.Management.Automati
on.ActionPreference' and try again.
At line:1 char:94
+ ... ame='Security'; Id=4624,4634,4647; StartTime=$son24saat} -ErrorAction
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WinEvent], ParameterBindingException
+ FullyQualifiedErrorId : MissingArgument,Microsoft.PowerShell.Commands.GetWinEventCommand
PS C:Userssalim> SilentlyContinue |
>> Select-Object TimeCreated, Id,
>> @{N='Olay';E={switch($_.Id){4624{'Giriş'}4634{'Çıkış'}4647{'Çıkış'}}}} |
>> Format-Table -AutoSize | Out-String | Out-File $rapor -Append
SilentlyContinue : The term 'SilentlyContinue' is not recognized as the name of a cmdlet, function, script file, or ope
rable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
.
At line:1 char:1
+ SilentlyContinue |
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SilentlyContinue:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim>
PS C:Userssalim> # 6. POWERSHELL KOMUT GEÇMİŞİ (ne komutlar çalıştırdı?)
PS C:Userssalim> "`n>>> POWERSHELL KOMUT GEÇMİŞİ <<<" | Out-File $rapor -Append
PS C:Userssalim> $psHistoryPaths = Get-ChildItem
PS C:Userssalim> "C:Users*AppDataRoamingMicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt" -ErrorAction
At line:1 char:85
+ ... osoftWindowsPowerShellPSReadLineConsoleHost_history.txt" -ErrorAction
+ ~~~~~~~~~~~~
Unexpected token '-ErrorAction' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:Userssalim> SilentlyContinue
SilentlyContinue : The term 'SilentlyContinue' is not recognized as the name of a cmdlet, function, script file, or ope
rable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
.
At line:1 char:1
+ SilentlyContinue
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SilentlyContinue:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:Userssalim> foreach ($h in $psHistoryPaths) {
>> "--- $($h.FullName) ---" | Out-File $rapor -Append
>> Get-Content $h -Tail 200 -ErrorAction SilentlyContinue | Out-File $rapor -Append
|
|
Notes is a web-based application for online taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000+ notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 14 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team
