dfirhub

CombinedLogs

Compoundv1.3

Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target

description

Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs

includes (7)

paths

31 pathsfrom 7 targets
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: CombinedLogs
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Event logs XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "*.evt" -FolderName "Event_logs_XP"

# 2. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"

# 3. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"

# 4. WDI Trace Logs 1
Collect-Artifact -SourceDir "C:\Windows\System32\WDI\LogFiles" -FileMask "*.etl*" -FolderName "WDI_Trace_Logs_1"

# 5. WDI Trace Logs 1
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\WDI\LogFiles" -FileMask "*.etl*" -FolderName "WDI_Trace_Logs_1"

# 6. WDI Trace Logs 2
Collect-Artifact -SourceDir "C:\Windows\System32\WDI\{*" -FolderName "WDI_Trace_Logs_2"

# 7. WDI Trace Logs 2
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\WDI\{*" -FolderName "WDI_Trace_Logs_2"

# 8. WMI Trace Logs
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\WMI" -FolderName "WMI_Trace_Logs"

# 9. WMI Trace Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\LogFiles\WMI" -FolderName "WMI_Trace_Logs"

# 10. SleepStudy Trace Logs
Collect-Artifact -SourceDir "C:\Windows\System32\SleepStudy" -FolderName "SleepStudy_Trace_Logs"

# 11. SleepStudy Trace Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\SleepStudy" -FolderName "SleepStudy_Trace_Logs"

# 12. Energy-NTKL Trace Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics" -FileMask "energy-ntkl.etl" -FolderName "Energy_NTKL_Trace_Logs"

# 13. Delivery Optimization Trace Logs
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs" -FileMask "*.etl*" -FolderName "Delivery_Optimization_Trace_Logs"

# 14. PowerShell Console Log Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_Systemprofile"

# 15. PowerShell Console Log WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_WOW64_Systemprofile"

# 16. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 17. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Program Files\Amazon\Ec2ConfigService\Scripts\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 18. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\System32\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 19. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\PSTranscript\20*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 20. Windows Firewall Logs
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\Firewall" -FileMask "pfirewall.*" -FolderName "Windows_Firewall_Logs"

# 21. Windows Firewall Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\LogFiles\Firewall" -FileMask "pfirewall.*" -FolderName "Windows_Firewall_Logs"

# 22. Setupapi.log XP
Collect-Artifact -SourceDir "C:\Windows" -FileMask "setupapi.log" -FolderName "Setupapi_log_XP"

# 23. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"

# 24. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"

# 25. .NET CLR UsageLogs (system-scoped)
Collect-Artifact -SourceDir "C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*" -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_system_scoped"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # PowerShell Console Log
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"
        Collect-Artifact -SourceDir $UserPath -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_$UserName"
        # PowerShell ISE - AutoSave Files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.ps1" -FolderName "PowerShell_ISE_AutoSave_Files_$UserName"
        # PowerShell ISE - User Config
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.config" -FolderName "PowerShell_ISE_User_Config_$UserName"
        # PowerShell Transcripts - Default Location
        $UserPath = "$($_.FullName)\Documents"
        Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Default_Location_$UserName"
        # PowerShell Transcripts - Observed Location
        $UserPath = "$($_.FullName)\Documents\20*"
        Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location_$UserName"
        # .NET CLR UsageLogs (user-scoped)
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\CLR_*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_user_scoped_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 7 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

notes

v1.1 - Added the USBDevicelogs target

v1.2 - Added the .NET CLR UsageLogs target

v1.3 - Added the PowerShell Transcripts target