DirectoryOpus
Appsv1.1
Author: Andrew Rathbun
description
Directory Opus
paths
9 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: DirectoryOpus
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "rename_folders.osd" -FolderName "Directory_Opus"
# 2. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "rename_files.osd" -FolderName "Directory_Opus"
# 3. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "find_contains.osd" -FolderName "Directory_Opus"
# 4. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "find_name.osd" -FolderName "Directory_Opus"
# 5. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "find_path.osd" -FolderName "Directory_Opus"
# 6. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "recent.osd" -FolderName "Directory_Opus"
# 7. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "backupconfig.osd" -FolderName "Directory_Opus"
# 8. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Directory_Opus"
# 9. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\GPSoftware\Directory Opus\Logs\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Directory_Opus"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1