Scripts for DFIRMA
Get-ScriptBlockCache.ps1
This script uses the function Get-ScriptBlockCache from @Lee_Holmes to extract scripts from powershell memory dumps. Thanks to Lee Holmes for all the hard work: http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
Get-CmdlinetBlockCache.ps1
This script is an implementation of the process published by @lee_holmes to extract command lines from a powershell memory dump. For more information go to https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/