Everything (VoidTools)
Author: Andrew Rathbun
description
Everything (VoidTools)
paths
collection commands
# PowerShell Artifact Collection Script
# Target: Everything (VoidTools)
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Everything (VoidTools)
$UserPath = "$($_.FullName)\AppData\Local\Everything"
Collect-Artifact -SourceDir $UserPath -FileMask "Everything.db" -FolderName "Everything_VoidTools_$UserName"
# Everything (VoidTools) - Run History
$UserPath = "$($_.FullName)\AppData\Roaming\Everything"
Collect-Artifact -SourceDir $UserPath -FileMask "Run History.csv" -FolderName "Everything_VoidTools_Run_History_$UserName"
# Everything (VoidTools) - Search History
$UserPath = "$($_.FullName)\AppData\Roaming\Everything"
Collect-Artifact -SourceDir $UserPath -FileMask "Search History.csv" -FolderName "Everything_VoidTools_Search_History_$UserName"
# Everything (VoidTools) - .ini file
$UserPath = "$($_.FullName)\AppData\Roaming\Everything"
Collect-Artifact -SourceDir $UserPath -FileMask "Everything.ini" -FolderName "Everything_VoidTools_ini_file_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
For those who don't know, VoidTools' Everything is what Windows search wishes it could be. Use it instead of Windows Search. Get it here: https://www.voidtools.com/downloads/
Everything must have been exited completely in order for the Everything.db file to have been committed to disk. So for initial installs, it won't commit until the first exit.
Everything creates a searchable index almost instantly on any system its installed on. Everything.db is what this index is stored in.
This target pulls the Everything.db which can then be converted with the Everything (VoidTools) Module to provide a readable list of every file located on a system using a text editor or the Everything tool itself.
The Search History and Run History are not enabled by default. They can be enabled within Options -> History.
Timestamps within the CSV files can be converted with CyberChef with this particular recipe: https://gchq.github.io/CyberChef/#recipe=From_UNIX_Timestamp('Nanoseconds%20(ns)')