Fixed Get-LogWinEvent, updated README.MD

Modules/Forensics/Get-ForAlternateDataStreams.ps1

@@ -0,0 +1,43 @@
+<# 
+.SYNOPSIS
+    Get-ForAlternateDataStream is a wrapper for Get-ForensicAlternateDataStream. Get-ForAlternateDataStream parses the Master File Table 
+    and returns AlternateDataStream objects for files that contain more than one $DATA attribute.
+
+    NTFS stores file contents in $DATA attributes. The file system allows a single file to maintain multiple $DATA attributes. When a file 
+    has more than one $DATA attribute the additional attributes are referred to as "Alternate Data Streams".
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+.PARAMETER Path
+    The path of a file that should be checked for alternate data streams.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(Mandatory, ParameterSetName = 'ByPath')]
+    [Alias('FullName')]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        Get-ForensicAlternateDataStream -VolumeName $VolumeName
+    }
+    else{
+        Get-ForensicAlternateDataStream -Path $Path
+    }
+}

Modules/Forensics/Get-ForAttrDef.ps1

@@ -0,0 +1,42 @@
+<# 
+.SYNOPSIS
+    Get-ForAttrDef is a wrapper for Get-ForensicAttrDef. Get-ForAttrDef parses the $AttrDef file on the specified volume 
+    and returns information about all MFT file attributes usable in the volume.
+
+    By default, the cmdlet parses the $AttrDef file on the C:\ drive. To change the target drive, use the VolumeName 
+    parameter or use the Path parameter to specify an exported $AttrDef file.
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+.PARAMETER Path
+    The path to the desired MFT.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(Mandatory, ParameterSetName = 'ByPath', ValueFromPipelineByPropertyName = $true)]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        Get-ForensicAttrDef -VolumeName $VolumeName
+    }
+    else{
+        Get-ForensicAttrDef -Path $Path
+    }
+}

Modules/Forensics/Get-ForFileRecord.ps1

@@ -0,0 +1,53 @@
+<# 
+.SYNOPSIS
+    Get-ForFileRecord is a wrapper for Get-ForensicFileRecord. Get-ForFileRecord parses the $MFT file 
+    and returns an array of FileRecord entries.
+
+    By default, this cmdlet parses the $MFT file on the C:\ drive. To change the target drive, 
+    use the VolumeName parameter or use the Path parameter to specify an exported $MFT file.
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+.PARAMETER Index
+    Specifies the index of the file record in the MFT. 
+
+.PARAMETER Path
+    The path to the MFT; could be on a volume different from the default.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [long]$Index = 0,
+
+    [Parameter(Mandatory, ParameterSetName = 'ByPath')]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        if($PSBoundParameters.ContainsKey('Index')){
+            Get-ForensicFileRecord -VolumeName $VolumeName -Index $Index
+        }
+        else{
+            Get-ForensicFileRecord -VolumeName $VolumeName
+        }
+    }
+    else{
+        Get-ForensicFileRecord -Path $Path
+    }
+}

Modules/Forensics/Get-ForFileRecordIndex.ps1

@@ -0,0 +1,24 @@
+<# 
+.SYNOPSIS
+    Get-ForFileRecordIndex is a wrapper for Get-ForFileRecordIndex. Get-ForFileRecordIndex returns the 
+    Master File Table Record Index Number for the specified file.
+
+.PARAMETER Path
+    The path of a file for which the user wants the MFT record entry for.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+Param(
+    [Parameter(Mandatory, ParameterSetName = 'ByPath')]
+    [Alias('FullName')]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    Get-ForensicFileRecordIndex -Path $Path
+}

Modules/Forensics/Get-ForFileSlack.ps1

@@ -0,0 +1,51 @@
+<# 
+.SYNOPSIS
+    Get-ForFileSlack is a wrapper for Get-ForensicFileSlack. Get-ForFileSlack gets 
+    the specified volume's slack space as a byte array.
+
+    "Slack space" is the difference between the true size of a file's contents and 
+    the allocated size of a file on disk.
+
+    When NTFS stores data in a file, the data must be allocated in cluster-sized 
+    chunks (commonly 4096 bytes), which creates slack space.
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+.PARAMETER Index
+    Specifies the index number of the file to return slack space for.
+
+.PARAMETER Path
+    The path of the file to return slack space for.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [long]$Index = 0,
+
+    [Parameter(ParameterSetName = 'ByPath')]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        Get-ForensicFileSlack -VolumeName $VolumeName
+    }
+    else{
+        Get-ForensicFileSlack -Path $Path
+    }
+}

Modules/Forensics/Get-ForMftSlack.ps1

@@ -0,0 +1,51 @@
+<# 
+.SYNOPSIS
+    Get-ForMftSlack is a wrapper for Get-ForensicMftSlack. Get-ForMftSlack 
+    returns a byte array representing the slack space found in Master File 
+    Table (MFT) records.
+
+    Each MFT File Record is 1024 bytes long. When a file record does not 
+    allocate all 1024 bytes, the remaining bytes are considered "slack". 
+    To compute slack space, compare the AllocatedSize and RealSize properties 
+    of a FileRecord object.
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+.PARAMETER Index
+    Specifies the index number of the file to return slack space for.
+
+.PARAMETER Path
+    The path of the file to return slack space for.
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [long]$Index = 0,
+
+    [Parameter(ParameterSetName = 'ByPath')]
+    [string]$Path
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        Get-ForensicMftSlack -VolumeName $VolumeName
+    }
+    else{
+        Get-ForensicMftSlack -Path $Path
+    }
+}

Modules/Forensics/Get-ForUsnJrnl.ps1

@@ -0,0 +1,44 @@
+<# 
+.SYNOPSIS
+    Get-ForUsnJrnl is a wrapper for Get-ForensicUsnJrnl. Get-ForUsnJrnl cmdlet parses the 
+    $UsnJrnl file's $J data stream to return UsnJrnl entries. If you do not specify a Usn 
+    (Update Sequence Number), it returns all entries in the $UsnJrnl.
+
+    The $UsnJrnl file maintains a record of all file system operations that have occurred. 
+    Because the file is circular, entries are overwritten.
+
+.PARAMETER VolumeName
+    Specifies the name of the volume or logical partition.
+
+    Enter the volume name in one of the following formats: \\.\C:, C:, or C.
+    Defaults to \\.\C:
+
+
+.PARAMETER Usn
+    Specifies the Update Sequence Number
+
+Next line is required by Kansa for proper handling of this script's
+output.
+OUTPUT TSV
+#>
+
+[cmdletbinding(DefaultParameterSetName='ByVolume')]
+Param(
+    [Parameter(ParameterSetName = 'ByVolume')]
+    [ValidatePattern('^(\\\\\.\\)?([A-Za-z]:)$')]
+    [string]$VolumeName = '\\.\C:',
+
+    [Parameter(Mandatory, ParameterSetName = 'ByUsn')]
+    [long]$Usn
+)
+
+begin{}
+
+process{
+    if($PSCmdlet.ParameterSetName -eq 'ByVolume'){
+        Get-ForensicUsnJrnl -VolumeName $VolumeName
+    }
+    else{
+        Get-ForensicUsnJrnl -Usn $Usn
+    }
+}