DoubleCommander
Appsv1.2
Author: Andrew Rathbun
description
Double Commander
paths
7 paths
AppsDouble Commander - history.xml
C:\Users\%user%\AppData\Roaming\doublecmd\history.xmlLocates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top.
AppsDouble Commander - doublecmd.xml
C:\Users\%user%\AppData\Roaming\doublecmd\doublecmd.xmlLocates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom.
AppsDouble Commander - FTP Log
C:\Users\%user%\AppData\Roaming\doublecmd\doublecmd*.logLocates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log.
AppsDouble Commander - multiarc.ini
C:\Users\%user%\AppData\Roaming\doublecmd\multiarc.iniAppsDouble Commander - session.ini
C:\Users\%user%\AppData\Roaming\doublecmd\session.iniAppsDouble Commander - pixmaps.txt
C:\Users\%user%\AppData\Roaming\doublecmd\pixmaps.txtAppsDouble Commander - shortcuts.scf
C:\Users\%user%\AppData\Roaming\doublecmd\shortcuts.scf› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: DoubleCommander
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Double Commander - history.xml
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\history.xml" -FolderName "Double_Commander___history_xml"
# 2. Double Commander - doublecmd.xml
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\doublecmd.xml" -FolderName "Double_Commander___doublecmd_xml"
# 3. Double Commander - FTP Log
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\doublecmd*.log" -FolderName "Double_Commander___FTP_Log"
# 4. Double Commander - multiarc.ini
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\multiarc.ini" -FolderName "Double_Commander___multiarc_ini"
# 5. Double Commander - session.ini
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\session.ini" -FolderName "Double_Commander___session_ini"
# 6. Double Commander - pixmaps.txt
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\pixmaps.txt" -FolderName "Double_Commander___pixmaps_txt"
# 7. Double Commander - shortcuts.scf
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\doublecmd\"
Collect-Artifact -SourcePath "$UserPath\shortcuts.scf" -FolderName "Double_Commander___shortcuts_scf"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1