FreeCommander
Author: Andrew Rathbun
description
FreeCommander XE
paths
C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\FreeCommander.iniLocates an .ini file that contains Shellbags-equivalent artifacts.
C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\FreeCommander.ftp.iniLocates an .ini file that contains the file path to the FTP log for Free Commander.
C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\FreeCommander.hist.iniLocates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers.
C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\FreeCommander.fav.xmlLocates an .xml file that contains favorited files/folder by the user.
C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS.
C:\Users\%user%\AppData\Local\Temp\fc*.logLocates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user.
C:\Users\%user%\AppData\Local\Temp\FreeCommander*\Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit.
collection commands
# PowerShell Artifact Collection Script
# Target: FreeCommander
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Free Commander - FreeCommander.ini
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\FreeCommanderXE\Settings\"
Collect-Artifact -SourcePath "$UserPath\FreeCommander.ini" -FolderName "Free_Commander___FreeCommander_ini"
# 2. Free Commander - FreeCommander.ftp.ini
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\FreeCommanderXE\Settings\"
Collect-Artifact -SourcePath "$UserPath\FreeCommander.ftp.ini" -FolderName "Free_Commander___FreeCommander_ftp_ini"
# 3. Free Commander - FreeCommander.hist.ini
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\FreeCommanderXE\Settings\"
Collect-Artifact -SourcePath "$UserPath\FreeCommander.hist.ini" -FolderName "Free_Commander___FreeCommander_hist_ini"
# 4. Free Commander - FreeCommander.fav.xml
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\FreeCommanderXE\Settings\"
Collect-Artifact -SourcePath "$UserPath\FreeCommander.fav.xml" -FolderName "Free_Commander___FreeCommander_fav_xml"
# 5. Free Commander - Backup Settings
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Free_Commander___Backup_Settings"
# 6. Free Commander - FTP Log
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Temp\"
Collect-Artifact -SourcePath "$UserPath\fc*.log" -FolderName "Free_Commander___FTP_Log"
# 7. Free Commander - FTP Related Information
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Temp\FreeCommander*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Free_Commander___FTP_Related_Information"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1