dfirhub

Everything (VoidTools)

Appsv1.2

Author: Andrew Rathbun

description

Everything (VoidTools)

paths

4 paths
FileSystemEverything (VoidTools)
C:\Users\%user%\AppData\Local\Everything\Everything.db

Copies out Everything.db

FileSystemEverything (VoidTools) - Run History
C:\Users\%user%\AppData\Roaming\Everything\Run History.csv

Copies out a CSV containing the history of items ran from Everything's search results window

FileSystemEverything (VoidTools) - Search History
C:\Users\%user%\AppData\Roaming\Everything\Search History.csv

Copies out a CSV containing the history of items searched for within Everything with timestamps

FileSystemEverything (VoidTools) - .ini file
C:\Users\%user%\AppData\Roaming\Everything\Everything.ini

Copies out the .ini file for Everything

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Everything (VoidTools)
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Everything (VoidTools)
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Everything\"
Collect-Artifact -SourcePath "$UserPath\Everything.db" -FolderName "Everything__VoidTools_"

# 2. Everything (VoidTools) - Run History
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Everything\"
Collect-Artifact -SourcePath "$UserPath\Run History.csv" -FolderName "Everything__VoidTools____Run_History"

# 3. Everything (VoidTools) - Search History
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Everything\"
Collect-Artifact -SourcePath "$UserPath\Search History.csv" -FolderName "Everything__VoidTools____Search_History"

# 4. Everything (VoidTools) - .ini file
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Everything\"
Collect-Artifact -SourcePath "$UserPath\Everything.ini" -FolderName "Everything__VoidTools_____ini_file"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references