CloudStorage_All
Compoundv1.4
Author: Chad Tilbury and Andrew Rathbun
description
Cloud Storage Contents and Metadata
includes (14)
paths
63 pathsfrom 14 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: CloudStorage_All
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Rclone config - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_Folder"
# 2. Rclone config - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_User_Folder"
# 3. Rclone config - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask ".rclone.conf" -FolderName "Rclone_config_LocalService_User_Folder"
# 4. Rclone config - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask ".rclone.conf" -FolderName "Rclone_config_NetworkService_User_Folder"
# 5. Rclone config - SYSTEM SysWOW64 User .config Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder"
# 6. Rclone config - SYSTEM User .config Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder"
# 7. Rclone config - LocalService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder"
# 8. Rclone config - NetworkService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder"
# 9. Rclone config - SYSTEM SysWOW64 User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_XDG_CONFIG_HOME_Default"
# 10. Rclone config - SYSTEM User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_XDG_CONFIG_HOME_Default"
# 11. Rclone config - LocalService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 12. Rclone config - NetworkService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 13. Rclone config - SYSTEM SysWOW64 User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_Roaming"
# 14. Rclone config - SYSTEM User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_Roaming"
# 15. Rclone config - LocalService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_Roaming"
# 16. Rclone config - NetworkService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_Roaming"
# 17. Rclone config - SysWOW64 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\SysWOW64" -FileMask "rclone.conf" -FolderName "Rclone_config_SysWOW64_Sideloaded_Config"
# 18. Rclone config - System32 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\System32" -FileMask "rclone.conf" -FolderName "Rclone_config_System32_Sideloaded_Config"
# 19. Rclone config - Windows Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows" -FileMask "rclone.conf" -FolderName "Rclone_config_Windows_Sideloaded_Config"
# 20. Rclone config - Recursive
Collect-Artifact -SourceDir "C:" -FileMask "rclone.conf" -FolderName "Rclone_config_Recursive"
# 21. Rclone config fallback - Recursive
Collect-Artifact -SourceDir "C:" -FileMask ".rclone.conf" -FolderName "Rclone_config_fallback_Recursive"
# 22. IDrive Cleanup Operations
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup" -FileMask "*" -FolderName "IDrive_Cleanup_Operations"
# 23. IDrive Backup Operations
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\Session\Backup" -FileMask "*" -FolderName "IDrive_Backup_Operations"
# 24. IDrive Delete Operations
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\Session\Delete" -FileMask "*" -FolderName "IDrive_Delete_Operations"
# 25. IDrive Restore Operations
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\Session\Restore" -FileMask "*" -FolderName "IDrive_Restore_Operations"
# 26. IDrive Backup Summary
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\Session\LOGXML" -FileMask "*xml" -FolderName "IDrive_Backup_Summary"
# 27. IDrive Tracefile
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*" -FileMask "Tracefile.txt" -FolderName "IDrive_Tracefile"
# 28. IDrive Mapped Drives
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "IDMappedDrives.txt" -FolderName "IDrive_Mapped_Drives"
# 29. IDrive Backup Schedule
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "schedule.xml" -FolderName "IDrive_Backup_Schedule"
# 30. IDrive Schedule History
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "Sch_Trace.txt" -FolderName "IDrive_Schedule_History"
# 31. IDrive Configuration
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "idrive.ini" -FolderName "IDrive_Configuration"
# 32. IDrive Local Drives
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "get_Alldrives.txt" -FolderName "IDrive_Local_Drives"
# 33. IDrive Exclusion Configurations
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "Exclude*" -FolderName "IDrive_Exclusion_Configurations"
# 34. IDrive User Details
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON" -FileMask "AutoComp.ini" -FolderName "IDrive_User_Details"
# 35. IDrive SQL Databse
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*" -FileMask "*.ibds" -FolderName "IDrive_SQL_Databse"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Box Drive User Files
$UserPath = "$($_.FullName)\Box"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Drive_User_Files_$UserName"
# Box Sync User Files
$UserPath = "$($_.FullName)\Box Sync"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Sync_User_Files_$UserName"
# Dropbox User Files
$UserPath = "$($_.FullName)\Dropbox*"
Collect-Artifact -SourceDir $UserPath -FolderName "Dropbox_User_Files_$UserName"
# Google Drive Backup and Sync User Files
$UserPath = "$($_.FullName)\Google Drive*"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_Backup_and_Sync_User_Files_$UserName"
# OneDrive User Files
$UserPath = "$($_.FullName)\OneDrive*"
Collect-Artifact -SourceDir $UserPath -FolderName "OneDrive_User_Files_$UserName"
# pCloud Database
$UserPath = "$($_.FullName)\AppData\Local\pCloud"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db" -FolderName "pCloud_Database_$UserName"
# pCloud Database WAL File
$UserPath = "$($_.FullName)\AppData\Local\pCloud"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db-wal" -FolderName "pCloud_Database_WAL_File_$UserName"
# pCloud Database Shared Memory File
$UserPath = "$($_.FullName)\AppData\Local\pCloud"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db-shm" -FolderName "pCloud_Database_Shared_Memory_File_$UserName"
# SugarSync Log File
$UserPath = "$($_.FullName)\AppData\Local\SugarSync"
Collect-Artifact -SourceDir $UserPath -FileMask "sc1.log" -FolderName "SugarSync_Log_File_$UserName"
# SugarSync - Shared Folders (Default Location)
$UserPath = "$($_.FullName)\Documents\SugarSync Shared Folders"
Collect-Artifact -SourceDir $UserPath -FolderName "SugarSync_Shared_Folders_Default_Location_$UserName"
# SugarSync - My SugarSync (Default Location)
$UserPath = "$($_.FullName)\Documents\My SugarSync"
Collect-Artifact -SourceDir $UserPath -FolderName "SugarSync_My_SugarSync_Default_Location_$UserName"
# Box Drive Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box\Box"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Drive_Application_Metadata_$UserName"
# Box Sync Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box Sync"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Sync_Application_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "info.json" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\machine_storage"
Collect-Artifact -SourceDir $UserPath -FileMask "tray-thumbnails.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\instance*"
Collect-Artifact -SourceDir $UserPath -FolderName "Dropbox_Metadata_$UserName"
# Google Drive Backup and Sync Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_Backup_and_Sync_Metadata_$UserName"
# Google Drive for Desktop Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\DriveFS"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_for_Desktop_Metadata_$UserName"
# MegaSync Folder
$UserPath = "$($_.FullName)\AppData\Local\Mega Limited\MEGAsync"
Collect-Artifact -SourceDir $UserPath -FolderName "MegaSync_Folder_$UserName"
# OneDrive User Profile
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\OneDrive"
Collect-Artifact -SourceDir $UserPath -FolderName "OneDrive_User_Profile_$UserName"
# Rclone config - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask ".rclone.conf" -FolderName "Rclone_config_User_Folder_$UserName"
# Rclone config - User .config Folder
$UserPath = "$($_.FullName)\.config\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_$UserName"
# Rclone config - User config Folder - XDG_CONFIG_HOME Default
$UserPath = "$($_.FullName)\AppData\Local\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_XDG_CONFIG_HOME_Default_$UserName"
# Rclone config - User config Folder - Roaming
$UserPath = "$($_.FullName)\AppData\Roaming\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_Roaming_$UserName"
# FreeFileSync
$UserPath = "$($_.FullName)\AppData\Roaming\FreeFileSync\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "FreeFileSync_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 8 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
notes
For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_online_backup_services.
Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.