DoubleCommander
Author: Andrew Rathbun
description
Double Commander
paths
collection commands
# PowerShell Artifact Collection Script
# Target: DoubleCommander
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Double Commander - history.xml
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "history.xml" -FolderName "Double_Commander_history_xml_$UserName"
# Double Commander - doublecmd.xml
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "doublecmd.xml" -FolderName "Double_Commander_doublecmd_xml_$UserName"
# Double Commander - FTP Log
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "doublecmd*.log" -FolderName "Double_Commander_FTP_Log_$UserName"
# Double Commander - multiarc.ini
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "multiarc.ini" -FolderName "Double_Commander_multiarc_ini_$UserName"
# Double Commander - session.ini
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "session.ini" -FolderName "Double_Commander_session_ini_$UserName"
# Double Commander - pixmaps.txt
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "pixmaps.txt" -FolderName "Double_Commander_pixmaps_txt_$UserName"
# Double Commander - shortcuts.scf
$UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
Collect-Artifact -SourceDir $UserPath -FileMask "shortcuts.scf" -FolderName "Double_Commander_shortcuts_scf_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
Double Commander is a freeware Windows File Explorer replacement similar in function to Total Commander, which is commonly used by threat actors during IR incidents.
If you open up the history.xml file path in a text editor, depending on how big the file is, all your artifacts equivalent to Shellbags should be located under a <Navigation> string with each "Shellbag" preprended by <Item>.
It should be noted that these are sorted in descending order, meaning the top item is the most recent folder navigated to by the user.
It should be noted that history.xml only updates when Double Commander is closed.
For instance, I explored the following paths in this order from bottom to top:
<Item>C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\</Item>
<Item>C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\Settings\</Item>
<Item>C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\Layouts\</Item>
<Item>C:\Users\%user%\Desktop\EZ Tools\</Item>
<Item>C:\Users\%user%\Desktop\EZ Tools\SDBExplorer\</Item>
<Item>C:\Users\%user%\Desktop\EZ Tools\EZViewer\</Item>
<Item>C:\Users\%user%\Desktop\</Item>
<Item>C:\Users\%user%\</Item>
<Item>C:\Users\</Item>
<Item>C:\</Item>
<Item>C:\Program Files\</Item>
Doublecmd.xml has a lot more information overall than history.xml, but it does have similar Shellbags-equivalent artifacts that are sorted in descending order.
If you open up the doublecmd.xml file path in a text editor, search for the following string: <Path Filename= and you will start seeing these artifacts.
For instance, besides the top two lines, I explored the following paths in this order from top to bottom:
<Path Filename="bz2.dll">C:\Program Files\Double Commander\</Path>
<Path Filename="Double Commander">C:\Program Files\</Path>
<Path Filename="Users">C:\</Path>
<Path Filename="%user%">C:\Users\</Path>
<Path Filename="Desktop">C:\Users\%user%\</Path>
<Path Filename="EZ Tools">C:\Users\%user%\Desktop\</Path>
<Path Filename="EZViewer">C:\Users\%user%\Desktop\EZ Tools\</Path>
<Path Filename="..">C:\Users\%user%\Desktop\EZ Tools\EZViewer\</Path>
<Path Filename="SDBExplorer">C:\Users\%user%\Desktop\EZ Tools\</Path>
<Path Filename="..">C:\Users\%user%\Desktop\EZ Tools\SDBExplorer\</Path>
<Path Filename="TimelineExplorer">C:\Users\%user%\Desktop\EZ Tools\</Path>
<Path Filename="Layouts">C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\</Path>
<Path Filename="..">C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\Layouts\</Path>
<Path Filename="Settings">C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\</Path>
<Path Filename="..">C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\Settings\</Path>
<Path Filename="Settings">C:\Users\%user%\Desktop\EZ Tools\TimelineExplorer\</Path>
These artifacts can be very useful when your threat actor isn't using File Explorer.