DirectoryOpus
Appsv1.1
Author: Andrew Rathbun
description
Directory Opus
paths
9 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: DirectoryOpus
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
Collect-Artifact -SourceDir $UserPath -FileMask "rename_folders.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
Collect-Artifact -SourceDir $UserPath -FileMask "rename_files.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
Collect-Artifact -SourceDir $UserPath -FileMask "find_contains.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
Collect-Artifact -SourceDir $UserPath -FileMask "find_name.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
Collect-Artifact -SourceDir $UserPath -FileMask "find_path.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data"
Collect-Artifact -SourceDir $UserPath -FileMask "recent.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data"
Collect-Artifact -SourceDir $UserPath -FileMask "backupconfig.osd" -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Directory_Opus_$UserName"
# Directory Opus
$UserPath = "$($_.FullName)\AppData\Roaming\GPSoftware\Directory Opus\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Directory_Opus_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
Directory Opus is the best Windows File Explorer replacement on the market, in my humble opinion.
Thankfully, lots of data is stored on user activity if your suspect ends up using this as their daily driver.
Any of the .osd files can be viewed in your favorite text editor.
The Thumbnail Cache folder will dump all files which appear to be randomized filenames with a .db extension.