FreeCommander

Appsv1.1

Author: Andrew Rathbun

description

FreeCommander XE

paths

7 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: FreeCommander
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Free Commander - FreeCommander.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.ini" -FolderName "Free_Commander_FreeCommander_ini_$UserName"
        # Free Commander - FreeCommander.ftp.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.ftp.ini" -FolderName "Free_Commander_FreeCommander_ftp_ini_$UserName"
        # Free Commander - FreeCommander.hist.ini
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.hist.ini" -FolderName "Free_Commander_FreeCommander_hist_ini_$UserName"
        # Free Commander - FreeCommander.fav.xml
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "FreeCommander.fav.xml" -FolderName "Free_Commander_FreeCommander_fav_xml_$UserName"
        # Free Commander - Backup Settings
        $UserPath = "$($_.FullName)\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Free_Commander_Backup_Settings_$UserName"
        # Free Commander - FTP Log
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "fc*.log" -FolderName "Free_Commander_FTP_Log_$UserName"
        # Free Commander - FTP Related Information
        $UserPath = "$($_.FullName)\AppData\Local\Temp\FreeCommander*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Free_Commander_FTP_Related_Information_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

notes

Free Commander XE is a freeware Windows File Explorer replacement similar in function to Total Commander, which is commonly used by threat actors during IR incidents.

FreeCommander.ini contains some interesting artifacts including but not limited to: Path= (starting path when opening a browser window, sorted by Left and Right), PathLastUsed= (path last opened upon program exit), and [MainPanel] (will contain the last opened paths for both Left and Right directory browsers).

FreeCommander.ftp.ini contains a file path to the FTP log.

FreeCommander.hist.ini updates upon program exit and only records the last 30 folders browsed by the user. History0 is the most recent folder browsed whereas History29 is the least recent. Log continues to roll over after 30 entries.

In FreeCommander.fav.xml, the string <folder_item will be the beginning of a new entry which will include the file path of the file/folder that the user favorited.

Note: for the Backup Settings target above, you may only see a deduplicated version of that folder, I.E. there may only be one or two files. This is because the backup files are exactly the same as the current set of .ini and .xml files. If the user has a long history of using the program, there should be many more files as a result.

included in collections

FileExplorerReplacements

// description

// paths

// collection commands

// notes

// included in collections

description

paths

collection commands

notes

included in collections