< Back
ConvertFrom-BinaryData
Post
NAME ConvertFrom-BinaryData
SYNOPSIS
Parses binary files to extract the data within.
SYNTAX
ConvertFrom-BinaryData [-Path] <String> [-TemplatePath] <String> [<CommonParameters>]
DESCRIPTION
The Invoke-BinShred cmdlet uses a structured template to parse binary files.
Unlike most commands in the PowerForensics module, this command does not require administrator privileges.
The cmdlet returns the file contents as an ordered dictionary (like a hash table, but in guaranteed order). There
is one key in the dictionary for each item in the template header.
Despite the name, the Invoke-ForensicBinShred cmdlet parses the file; it does not "shred," delete, or zero-out the
file.
For detailed instructions about writing a template for a particular binary file or file type, see
about_BinShred_Templates.
PARAMETERS
-Path <String>
Specifies that path to the binary file to be parsed. This parameter is required.
Enter the file name or fully-qualified path. If you omit the path, the default location is the local directory.
Required? true
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? false
-TemplatePath <String>
Specifies the path to a binShred template. This parameter is required.
Enter the name of a file with a .bst file name extension. If the template file is not in the local directory,
include the path.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
System.Collections.Specialized.OrderedDictionary
Returns an object that represents the data structures in the binary file.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Invoke-ForensicBinShred -Path .\\Words.bin -TemplatePath .\\WordParser.bst
Name Value
---- -----
magic LH
wordCount 2
words {System.Collections.Specialized.OrderedDictionary,....
This command uses the Invoke-ForensicBinShred cmdlet and the WordParser.bst file to parse the Words.bin file.
The command returns an ordered dictionary with keys that match the elements in the header of the template file.
The template also determines the .NET types of the values, such as ASCII (magic), Int32 (wordCount), and words
(nested dictionaries of UTF8 characters).
-------------------------- EXAMPLE 2 --------------------------
PS C:\\># In Words.bin
4c48 0200 0000 0500 0000 4865 6c6c 6f05
0000 0057 6f72 6c64
# In WordParser.bst
header :
magic (2 bytes as ASCII)
wordCount (4 bytes as UINT32)
words (wordCount items);
words :
wordLength (4 bytes as UINT32)
word (wordLength bytes as UTF8);
PS C:\\> $w = Invoke-ForensicBinShred -Path .\\Words.bin -TemplatePath .\\WordParser.bst
PS C:\\> $w
Name Value
---- -----
magic LH
wordCount 2
words {System.Collections.Specialized.OrderedDictionary,...
PS C:\\> $w.words
Name Value
---- -----
wordLength 5
word Hello
wordLength 5
word World
PS C:\\> $w.words.word
Hello
World
This example shows how Invoke-ForensicBinShred uses a structured template to parse a binary file.
The first item shows the content of the Words.bin file. The second item shows the content of the WordParser.bst
template file.
The first command uses the Invoke-ForensicBinShred cmdlet and the template to parse the Words.bin file. The
command saves the file in the $w variable.
The second command shows the contents of the $w variable. The cmdlet returned an ordered dictionary with keys that
match the items in the header section of the template. Based on the template, which has a words section, the value
of the words key is a series of nested dictionaries.
The third command shows the value of the words key in the dictionary in $w, which is an array of nested
dictionaries. The keys in the nested dictionary match the items in the words section of the template.
The fourth command gets only the value of the word key in the words nested dictionary.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Invoke-ForensicBinShred -Path .\\Words.bin' -TemplatePath bad-wordParser.bst
Invoke-ForensicBinShred : Index and count must refer to a location within the buffer.
Parameter name: bytes
At line:1 char:1
+ Invoke-ForensicBinShred @params
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-ForensicBinShred], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,PowerForensics.Cmdlets.BinShredCommand
This command fails because the size or number of items specified by the template does not match the number of
bytes in the file. The template might account for too many or too few bytes.
If you get an error like this one, verify that the items in the template and their lengths match the content of
the input file.
RELATED LINKS
about_binShred_Templates
SYNOPSIS
Parses binary files to extract the data within.
SYNTAX
ConvertFrom-BinaryData [-Path] <String> [-TemplatePath] <String> [<CommonParameters>]
DESCRIPTION
The Invoke-BinShred cmdlet uses a structured template to parse binary files.
Unlike most commands in the PowerForensics module, this command does not require administrator privileges.
The cmdlet returns the file contents as an ordered dictionary (like a hash table, but in guaranteed order). There
is one key in the dictionary for each item in the template header.
Despite the name, the Invoke-ForensicBinShred cmdlet parses the file; it does not "shred," delete, or zero-out the
file.
For detailed instructions about writing a template for a particular binary file or file type, see
about_BinShred_Templates.
PARAMETERS
-Path <String>
Specifies that path to the binary file to be parsed. This parameter is required.
Enter the file name or fully-qualified path. If you omit the path, the default location is the local directory.
Required? true
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? false
-TemplatePath <String>
Specifies the path to a binShred template. This parameter is required.
Enter the name of a file with a .bst file name extension. If the template file is not in the local directory,
include the path.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
You cannot pipe input to this cmdlet.
OUTPUTS
System.Collections.Specialized.OrderedDictionary
Returns an object that represents the data structures in the binary file.
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Invoke-ForensicBinShred -Path .\\Words.bin -TemplatePath .\\WordParser.bst
Name Value
---- -----
magic LH
wordCount 2
words {System.Collections.Specialized.OrderedDictionary,....
This command uses the Invoke-ForensicBinShred cmdlet and the WordParser.bst file to parse the Words.bin file.
The command returns an ordered dictionary with keys that match the elements in the header of the template file.
The template also determines the .NET types of the values, such as ASCII (magic), Int32 (wordCount), and words
(nested dictionaries of UTF8 characters).
-------------------------- EXAMPLE 2 --------------------------
PS C:\\># In Words.bin
4c48 0200 0000 0500 0000 4865 6c6c 6f05
0000 0057 6f72 6c64
# In WordParser.bst
header :
magic (2 bytes as ASCII)
wordCount (4 bytes as UINT32)
words (wordCount items);
words :
wordLength (4 bytes as UINT32)
word (wordLength bytes as UTF8);
PS C:\\> $w = Invoke-ForensicBinShred -Path .\\Words.bin -TemplatePath .\\WordParser.bst
PS C:\\> $w
Name Value
---- -----
magic LH
wordCount 2
words {System.Collections.Specialized.OrderedDictionary,...
PS C:\\> $w.words
Name Value
---- -----
wordLength 5
word Hello
wordLength 5
word World
PS C:\\> $w.words.word
Hello
World
This example shows how Invoke-ForensicBinShred uses a structured template to parse a binary file.
The first item shows the content of the Words.bin file. The second item shows the content of the WordParser.bst
template file.
The first command uses the Invoke-ForensicBinShred cmdlet and the template to parse the Words.bin file. The
command saves the file in the $w variable.
The second command shows the contents of the $w variable. The cmdlet returned an ordered dictionary with keys that
match the items in the header section of the template. Based on the template, which has a words section, the value
of the words key is a series of nested dictionaries.
The third command shows the value of the words key in the dictionary in $w, which is an array of nested
dictionaries. The keys in the nested dictionary match the items in the words section of the template.
The fourth command gets only the value of the word key in the words nested dictionary.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Invoke-ForensicBinShred -Path .\\Words.bin' -TemplatePath bad-wordParser.bst
Invoke-ForensicBinShred : Index and count must refer to a location within the buffer.
Parameter name: bytes
At line:1 char:1
+ Invoke-ForensicBinShred @params
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-ForensicBinShred], ArgumentOutOfRangeException
+ FullyQualifiedErrorId : System.ArgumentOutOfRangeException,PowerForensics.Cmdlets.BinShredCommand
This command fails because the size or number of items specified by the template does not match the number of
bytes in the file. The template might account for too many or too few bytes.
If you get an error like this one, verify that the items in the template and their lengths match the content of
the input file.
RELATED LINKS
about_binShred_Templates