dfirhub

FileExplorerReplacements

Compoundv1.3

Author: Andrew Rathbun

description

File Explorer Replacements

includes (12)

paths

49 pathsfrom 12 targets
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: FileExplorerReplacements
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Total Commander - Log File
Collect-Artifact -SourceDir "C:" -FileMask "totalcmd.log" -FolderName "Total_Commander_Log_File"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
        Collect-Artifact -SourceDir $UserPath -FileMask "rename_folders.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
        Collect-Artifact -SourceDir $UserPath -FileMask "rename_files.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
        Collect-Artifact -SourceDir $UserPath -FileMask "find_contains.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
        Collect-Artifact -SourceDir $UserPath -FileMask "find_name.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data\MRU"
        Collect-Artifact -SourceDir $UserPath -FileMask "find_path.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data"
        Collect-Artifact -SourceDir $UserPath -FileMask "recent.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\State Data"
        Collect-Artifact -SourceDir $UserPath -FileMask "backupconfig.osd" -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache"
        Collect-Artifact -SourceDir $UserPath -FolderName "Directory_Opus_$UserName"
        # Directory Opus
        $UserPath = "$($_.FullName)\AppData\Roaming\GPSoftware\Directory Opus\Logs"
        Collect-Artifact -SourceDir $UserPath -FolderName "Directory_Opus_$UserName"
        # Double Commander - history.xml
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "history.xml" -FolderName "Double_Commander_history_xml_$UserName"
        # Double Commander - doublecmd.xml
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "doublecmd.xml" -FolderName "Double_Commander_doublecmd_xml_$UserName"
        # Double Commander - FTP Log
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "doublecmd*.log" -FolderName "Double_Commander_FTP_Log_$UserName"
        # Double Commander - multiarc.ini
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "multiarc.ini" -FolderName "Double_Commander_multiarc_ini_$UserName"
        # Double Commander - session.ini
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "session.ini" -FolderName "Double_Commander_session_ini_$UserName"
        # Double Commander - pixmaps.txt
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "pixmaps.txt" -FolderName "Double_Commander_pixmaps_txt_$UserName"
        # Double Commander - shortcuts.scf
        $UserPath = "$($_.FullName)\AppData\Roaming\doublecmd"
        Collect-Artifact -SourceDir $UserPath -FileMask "shortcuts.scf" -FolderName "Double_Commander_shortcuts_scf_$UserName"
        # EF Commander - .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\EFSoftware"
        Collect-Artifact -SourceDir $UserPath -FolderName "EF_Commander_ini_File_$UserName"
        # Free Commander - FreeCommander.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.ini" -FolderName "Free_Commander_FreeCommander_ini_$UserName"
        # Free Commander - FreeCommander.ftp.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.ftp.ini" -FolderName "Free_Commander_FreeCommander_ftp_ini_$UserName"
        # Free Commander - FreeCommander.hist.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.hist.ini" -FolderName "Free_Commander_FreeCommander_hist_ini_$UserName"
        # Free Commander - FreeCommander.fav.xml
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.fav.xml" -FolderName "Free_Commander_FreeCommander_fav_xml_$UserName"
        # Free Commander - Backup Settings
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Free_Commander_Backup_Settings_$UserName"
        # Free Commander - FTP Log
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "fc*.log" -FolderName "Free_Commander_FTP_Log_$UserName"
        # Free Commander - FTP Related Information
        $UserPath = "$($_.FullName)\AppData\Local\Temp\FreeCommander*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Free_Commander_FTP_Related_Information_$UserName"
        # Midnight Commander -- All Configuation Files
        $UserPath = "$($_.FullName)\Midnight Commander"
        Collect-Artifact -SourceDir $UserPath -FolderName "Midnight_Commander_All_Configuation_Files_$UserName"
        # Multi Commander - Application Folder
        $UserPath = "$($_.FullName)\AppData\Local\MultiCommander*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Application_Folder_$UserName"
        # Multi Commander - Config Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\Config"
        Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Config_Folder_$UserName"
        # Multi Commander - Log Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\Logs"
        Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Log_Folder_$UserName"
        # Multi Commander - UserData Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\UserData"
        Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_UserData_Folder_$UserName"
        # Multi Commander - Log File
        $UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*MultiCommander.log" -FolderName "Multi_Commander_Log_File_$UserName"
        # One Commander - All Configuration Files
        $UserPath = "$($_.FullName)\OneCommander"
        Collect-Artifact -SourceDir $UserPath -FolderName "One_Commander_All_Configuration_Files_$UserName"
        # One Commander - Other Configuration Files
        $UserPath = "$($_.FullName)\AppData\Local\Apps\2.0\*\*\onec*"
        Collect-Artifact -SourceDir $UserPath -FolderName "One_Commander_Other_Configuration_Files_$UserName"
        # Q-Dir - .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\Q-Dir"
        Collect-Artifact -SourceDir $UserPath -FileMask "Q-Dir.ini" -FolderName "Q_Dir_ini_File_$UserName"
        # Q-Dir - .qdr file
        $UserPath = "$($_.FullName)\AppData\Roaming\Q-Dir"
        Collect-Artifact -SourceDir $UserPath -FileMask "start.qdr" -FolderName "Q_Dir_qdr_file_$UserName"
        # SpeedCommander - .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\SpeedProject\SpeedCommander 19"
        Collect-Artifact -SourceDir $UserPath -FolderName "SpeedCommander_ini_File_$UserName"
        # Tablacus Explorer - remember.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "remember.xml" -FolderName "Tablacus_Explorer_remember_xml_$UserName"
        # Tablacus Explorer - window.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "window.xml" -FolderName "Tablacus_Explorer_window_xml_$UserName"
        # Tablacus Explorer - window1.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "window1.xml" -FolderName "Tablacus_Explorer_window1_xml_$UserName"
        # Total Commander - .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "wincmd.ini" -FolderName "Total_Commander_ini_File_$UserName"
        # Total Commander - Temp Files Created During Folder Traversal
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "FTP*.tmp" -FolderName "Total_Commander_Temp_Files_Created_During_Folder_Traversal_$UserName"
        # Total Commander - FTP .ini File
        $UserPath = "$($_.FullName)\AppData\Roaming\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "wcx_ftp.ini" -FolderName "Total_Commander_FTP_ini_File_$UserName"
        # Total Commander - File Tree
        $UserPath = "$($_.FullName)\AppData\Local\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "treeinfo*.wc" -FolderName "Total_Commander_File_Tree_$UserName"
        # Total Commander - Frequent Directory Listing
        $UserPath = "$($_.FullName)\AppData\Local\GHISLER"
        Collect-Artifact -SourceDir $UserPath -FileMask "tcDirFrq.txt" -FolderName "Total_Commander_Frequent_Directory_Listing_$UserName"
        # Total Commander - FTP Logs
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "tcftp.log" -FolderName "Total_Commander_FTP_Logs_$UserName"
        # XYplorer - .ini file
        $UserPath = "$($_.FullName)\AppData\Roaming\XYplorer"
        Collect-Artifact -SourceDir $UserPath -FileMask "XYplorer.ini" -FolderName "XYplorer_ini_file_$UserName"
        # XYplorer - .ini file for each respective pane
        $UserPath = "$($_.FullName)\AppData\Roaming\XYplorer\Panes\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "pane.ini" -FolderName "XYplorer_ini_file_for_each_respective_pane_$UserName"
        # XYplorer - AutoBackup folder
        $UserPath = "$($_.FullName)\AppData\Roaming\XYplorer\AutoBackup"
        Collect-Artifact -SourceDir $UserPath -FolderName "XYplorer_AutoBackup_folder_$UserName"
        # XYplorer - .dat files
        $UserPath = "$($_.FullName)\AppData\Roaming\XYplorer"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.dat" -FolderName "XYplorer_dat_files_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 12 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.

notes

For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_file_managers or https://alternativeto.net/software/total-commander/.

Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.

Use Everything, Directory Monitor Pro (not free, but use a trial if you don't want to pay), NirSoft's RegistryChangesView, etc to monitor what these applications do to the File System and DOCUMENT!