dfirhub

DirectoryOpus

Appsv1.1

Author: Andrew Rathbun

description

Directory Opus

paths

9 paths
AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_folders.osd

Locates .osd file which contains names of folders that have been renamed manually by the user.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\rename_files.osd

Locates .osd file which contains names of files that have been renamed manually by the user.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_contains.osd

Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_name.osd

Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\find_path.osd

Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\recent.osd

Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\backupconfig.osd

Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.

AppsDirectory Opus
C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\

Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus.

AppsDirectory Opus
C:\Users\%user%\AppData\Roaming\GPSoftware\Directory Opus\Logs\

Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory.

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: DirectoryOpus
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourcePath "$UserPath\rename_folders.osd" -FolderName "Directory_Opus"

# 2. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourcePath "$UserPath\rename_files.osd" -FolderName "Directory_Opus"

# 3. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourcePath "$UserPath\find_contains.osd" -FolderName "Directory_Opus"

# 4. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourcePath "$UserPath\find_name.osd" -FolderName "Directory_Opus"

# 5. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\MRU\"
Collect-Artifact -SourcePath "$UserPath\find_path.osd" -FolderName "Directory_Opus"

# 6. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\"
Collect-Artifact -SourcePath "$UserPath\recent.osd" -FolderName "Directory_Opus"

# 7. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\State Data\"
Collect-Artifact -SourcePath "$UserPath\backupconfig.osd" -FolderName "Directory_Opus"

# 8. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Directory_Opus"

# 9. Directory Opus
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\GPSoftware\Directory Opus\Logs\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Directory_Opus"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

included in collections

FileExplorerReplacements