Jet Mariano

Tag: Forensics

  • Why PowerShell Still Beats Purview for Real Forensics: Speed, Depth, and No UI Limits

    Introduction

    Microsoft Purview is Microsoft’s compliance, audit, and eDiscovery platform for Microsoft 365. It provides GUI-driven tools for administrators to perform searches, create holds, review data, and respond to legal and compliance requirements.

    But here’s the reality that senior M365 engineers know:

    Purview is powerful, but it is not complete.
    It has strict limits, throttles, and boundaries designed for safety and performance — not deep forensic analysis.

    This is why serious investigations always end up in PowerShell, where engineers can bypass GUI limitations, perform deeper searches, and collect evidence with precision.

    Section 1 — What Purview Is (in plain English)

    Purview provides:

    • Content search
    • eDiscovery (Standard & Premium)
    • Litigation holds
    • Audit logs
    • Labeling and retention
    • Insider risk scanning
    • Communication compliance

    It is designed for:

    • Legal teams
    • Compliance officers
    • HR investigations
    • Corporate governance
    • High-level reporting

    And for these purposes, Purview works very well.

    Section 2 — The Hidden Limitations of Purview

    Here are the real limits engineers face:

    1. Sending & Rate Limits

    Purview actions follow the same throttling limits as Exchange Online.
    You cannot pull unlimited messages instantly.

    2. eDiscovery Query Limits

    Each Purview search query is limited to:
    10,000 characters
    This is a major limitation for complex filters.

    3. Maximum Export Sizes

    Large exports (multiple gigabytes) often fail or time out.
    This is why forensic engineers break searches into chunks.

    4. Maximum Holds Per Mailbox

    A mailbox can only have:
    25 holds total
    More than 25 affects performance, indexing, and mailbox health.

    5. External Recipient Limits

    Purview cannot override existing mailbox restrictions.

    6. Tenant-Wide Limits

    Even Premium eDiscovery has:

    • Search concurrency limits
    • Workflow throttling
    • Processing delays
    • Indexing dependency (if an item isn’t indexed, Purview can’t see it)

    7. Purview is not real-time

    It depends on indexing engines.
    Indexing delays = missing results.

    8. Purview cannot reveal everything

    For true forensics you often need:

    • Message trace logs
    • Transport logs
    • Historical mailbox snapshots
    • DeletedItems and RecoverableItems subfolders
    • Soft delete and hard delete content
    • Hidden folders
    • Unindexed items

    Purview cannot provide all of that.

    Section 3 — Why PowerShell is Superior for True Forensics

    When Microsoft engineers or financial institutions perform real investigations, they do not rely on Purview alone. They rely on PowerShell because PowerShell can do what Purview cannot.

    1. Access Every Folder (Including Hidden Ones)

    PowerShell can query:

    • Inbox
    • Sent
    • DeletedItems
    • RecoverableItems
    • Purges
    • Versions
    • Subfolders not visible in Outlook
    • Unindexed items

    Purview can’t.

    2. No GUI query limit

    There is no 10,000-character query restriction in PowerShell.

    Pattern searches can be huge, detailed, and layered.

    3. Deep Header and Message Metadata Extraction

    PowerShell can extract:

    • X-MS-Exchange-Organization-AuthAs
    • X-MS-Exchange-CrossTenant-*
    • Original client IP
    • Authentication results
    • Message submission type
    • Connector source
    • Spam confidence level (SCL)
    • Envelope sender
    • Message ID tracking

    Purview provides only summarized metadata.

    4. Instant, Real-Time Search

    PowerShell does not wait for indexing.
    You can search unindexed items directly.

    This is critical in security incidents.

    5. Mailbox Timeline Reconstruction

    With PowerShell you can reconstruct:

    • When the message was received
    • When it was moved
    • If rules redirected it
    • If a compromised mailbox forwarded it
    • If the user deleted it
    • If it was purged

    Purview cannot reconstruct movement history.

    6. PowerShell is scripting + automation

    You can automate:

    • Large case collections
    • Exports
    • Multi-mailbox searches
    • Pattern scans
    • Complex filters
    • Timeline reconstruction

    Purview cannot automate eDiscovery at the same level.

    Section 4 — When to Use Purview vs PowerShell

    Use Purview for:

    • Legal holds
    • HR requests
    • Basic content searches
    • Governance
    • Compliance reporting
    • Policy enforcement

    Use PowerShell for:

    • Security incidents
    • Ransomware investigations
    • BEC (Business Email Compromise)
    • External spoofing investigations
    • Compromised mailbox analysis
    • Hidden folder discovery
    • Deep metadata extraction
    • Multi-mailbox timeline reconstruction

    Most senior email engineers agree:

    Purview is the “legal view.”
    PowerShell is the “truth view.”

    Conclusion

    Purview is an essential tool for compliance and legal workflows — but it is not a forensic engine.
    Its GUI limits, throttles, and reliance on indexing mean that it can never replace the precision, speed, and depth of PowerShell.

    This is why real investigations — especially in financial institutions and regulated organizations — always rely on PowerShell for final answers.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Hot-cloning a Running Windows 11 VM in vSphere (Forensic, Redacted Runbook)

    This guide covers hot cloning a Windows 11 VM in vSphere with PowerCLI

    Goal. Create a new Windows 11 jump VM (WIN11-Jumpbox-6) by cloning a running source (WIN11-Jumpbox-2) in vCenter—without interrupting the source—and bring the clone up with a fresh identity (Sysprep), correct name, and domain join.

    Applies to. vCenter/vSphere with vSAN (or any datastore), Windows 11 guest, PowerCLI.

    Redaction note: All names below are placeholders. Replace the ALL_CAPS parts with local values.
    vCenter: VCENTER.FQDN
    Source VM: WIN11-Jumpbox-2
    New VM: WIN11-Jumpbox-6
    Target ESXi host: esxi-03.example.local
    Datastore: vsanDatastore
    Domain (optional): corp.local
    Join account: corp.local\joinaccount

    Constraints & safety

    • No source outage. Clone while the source is powered on (vCenter snapshots and clones from it).
    • Fresh identity. Use guest customization (Sysprep) so the clone receives a new SID and hostname.
    • Parameter sets. When cloning with -VM, avoid -NetworkName/-NumCPU/-MemoryGB in the same New-VM call; set those after the clone boots.
    • VMware Tools must be running in the guest for customization to apply.

    Pre-flight checks (30–60 seconds)

    # Connect
Connect-VIServer VCENTER.FQDN

# Capacity snapshot (optional)
Get-VMHost | Select Name,
 @{N="CPU MHz Used";E={$_.CpuUsageMhz}},
 @{N="CPU MHz Total";E={$_.CpuTotalMhz}},
 @{N="Mem GB Used";E={[math]::Round($_.MemoryUsageGB,2)}},
 @{N="Mem GB Total";E={[math]::Round($_.MemoryTotalGB,2)}}

Get-Datastore -Name "vsanDatastore" | Select Name,Type,State,
 @{N="CapacityGB";E={[math]::Round($_.CapacityGB,2)}},
 @{N="FreeGB";E={[math]::Round($_.FreeSpaceGB,2)}},
 @{N="Free%";E={[math]::Round(($_.FreeSpaceGB/$_.CapacityGB)*100,2)}}

    Rule of thumb: keep vSAN Free% ≥ 20–25% to avoid slack-space pressure during resync/rebuild.

    Method A — Clone with one-time guest customization (recommended)

    This path Syspreps the clone, renames it, and (optionally) joins the domain. It also avoids the PowerShell reserved variable $host (use $targetHost).

    # -------- Vars --------
$srcName        = "WIN11-Jumpbox-2"
$newName        = "WIN11-Jumpbox-6"
$targetHostName = "esxi-03.example.local"
$dsName         = "vsanDatastore"
$domainFqdn     = "corp.local"                 # leave blank if no domain join
$joinUser       = "corp.local\joinaccount"     # account allowed to join computers

# -------- Objects --------
$src        = Get-VM -Name $srcName -ErrorAction Stop
$targetHost = Get-VMHost -Name $targetHostName -ErrorAction Stop
$ds         = Get-Datastore -Name $dsName -ErrorAction Stop
$pg         = ($src | Get-NetworkAdapter | Select-Object -First 1).NetworkName

# -------- One-time Windows customization spec (NonPersistent) --------
$specName = "TMP-Join-Redacted"
$existing = Get-OSCustomizationSpec -Name $specName -ErrorAction SilentlyContinue
if ($existing) { Remove-OSCustomizationSpec -OSCustomizationSpec $existing -Confirm:$false }

# If domain join is desired
$spec = if ($domainFqdn) {
  $joinCred = Get-Credential -UserName $joinUser -Message "Password for $joinUser"
  New-OSCustomizationSpec -Name $specName -Type NonPersistent `
    -OSType Windows -NamingScheme VMName -FullName "IT" -OrgName "Redacted" `
    -Domain $domainFqdn -DomainCredentials $joinCred
}
else {
  New-OSCustomizationSpec -Name $specName -Type NonPersistent `
    -OSType Windows -NamingScheme VMName -FullName "IT" -OrgName "Redacted"
}

# NIC(s) -> DHCP (switch to static if needed)
Get-OSCustomizationNicMapping -OSCustomizationSpec $spec |
  ForEach-Object { Set-OSCustomizationNicMapping -OSCustomizationNicMapping $_ -IpMode UseDhcp | Out-Null }

# -------- Clone (do NOT pass -NetworkName/-NumCPU/-MemoryGB here) --------
$newVM = New-VM -Name $newName -VM $src -VMHost $targetHost -Datastore $ds -OSCustomizationSpec $spec

Start-VM $newVM
$newVM | Wait-Tools -TimeoutSeconds 900

# -------- Post-boot tuning --------
Set-VM -VM $newVM -NumCPU 4 -MemoryGB 8 -Confirm:$false
Get-NetworkAdapter -VM $newVM | Set-NetworkAdapter -NetworkName $pg -Connected:$true -Confirm:$false

    Why this works (and common pitfalls)

    • Reserved variable. Cannot overwrite variable Host… appears when assigning to $host (PowerShell reserved). Use $targetHost.
    • Missing spec. Get-OSCustomizationSpec … ObjectNotFound indicates the named spec didn’t exist. The runbook creates a NonPersistent spec on the fly.
    • Ambiguous parameter set. New-VM : Parameter set cannot be resolved… occurs when mixing clone parameter -VM with -NetworkName/-NumCPU/-MemoryGB. Clone first, then adjust CPU/RAM/NIC after boot.

    Method B — Fallback: clone now, join inside the guest

    If guest customization is blocked (e.g., Tools not running, limited join rights), clone without customization, then rename/join inside the guest.

    # Clone without customization
$src        = Get-VM -Name "WIN11-Jumpbox-2"
$targetHost = Get-VMHost -Name "esxi-03.example.local"
$ds         = Get-Datastore -Name "vsanDatastore"
$newName    = "WIN11-Jumpbox-6"

$newVM = New-VM -Name $newName -VM $src -VMHost $targetHost -Datastore $ds
Start-VM $newVM
$newVM | Wait-Tools -TimeoutSeconds 900

# Rename to match VM name (inside guest)
$localAdminCred = Get-Credential -Message "Local Administrator on the cloned VM"
Invoke-VMScript -VM $newVM -GuestCredential $localAdminCred -ScriptType Powershell -ScriptText `
 'Rename-Computer -NewName "WIN11-Jumpbox-6" -Force; Restart-Computer -Force'

$newVM | Wait-Tools -TimeoutSeconds 900

# Optional domain join (inside guest)
$joinCred = Get-Credential -UserName "corp.local\joinaccount"
Invoke-VMScript -VM $newVM -GuestCredential $localAdminCred -ScriptType Powershell -ScriptText `
 'Add-Computer -DomainName "corp.local" -Credential (New-Object System.Management.Automation.PSCredential("corp.local\joinaccount",(Read-Host -AsSecureString))) -Force -Restart'

    Verification (quick, non-invasive)

    # Where did it land? (host, datastore, portgroup)
Get-VM -Name "WIN11-Jumpbox-6" | Select Name,PowerState,
 @{N="Host";E={$_.VMHost.Name}},
 @{N="Datastore(s)";E={($_ | Get-Datastore).Name -join ", "}},
 @{N="PortGroup";E={(Get-NetworkAdapter -VM $_ | Select -First 1).NetworkName}}

# Optional: ensure VM files are on the intended datastore
Get-VM -Name "WIN11-Jumpbox-6" | Get-HardDisk | Select Parent,Name,FileName

    Post-build hygiene

    • RDP enabled; restricted to an AD group.
    • Endpoint agents (AV/EDR/RMM) register as a new device (fresh identity).
    • Patching applied; baseline GPO/Intune policies targeted; backup/monitoring added.

    Forensic addendum: errors & remediation

    • Cannot overwrite variable Host…
      Cause: attempted $host = Get-VMHost … (PowerShell reserved).
      Fix: rename the variable to $targetHost.
    • Get-OSCustomizationSpec … ObjectNotFound
      Cause: referenced a non-existent customization spec.
      Fix: create a NonPersistent spec in-line.
    • New-VM … Parameter set cannot be resolved…
      Cause: mixed -VM (clone) with create-new switches.
      Fix: keep New-VM to the clone parameter set; tune CPU/RAM/NIC after boot.

    Security & privacy guardrails

    • No real hostnames, domains, IPs, or identifying screenshots in public artifacts.
    • Least-privilege join accounts or pre-staged computer objects in AD.
    • When publishing logs, hash or redact VM names and datastore paths.

    Summary

    Hot-cloning a Windows 11 VM in vSphere is reliable for a jump host when the process (1) allows vCenter to snapshot and clone a powered-on source, (2) applies Sysprep guest customization for a clean identity, and (3) keeps New-VM to a single parameter set. The runbook above is deterministic, quiet, and free of sensitive fingerprints.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!