FTPClients
Compoundv1.2
Author: Andrew Rathbun
description
FTP Clients
includes (4)
paths
19 pathsfrom 4 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: FTPClients
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. FileZilla Log Files
Collect-Artifact -SourceDir "C:\Program Files (x86)\FileZilla Server\Logs" -FileMask "*.log*" -FolderName "FileZilla_Log_Files"
# 2. WinSCP (.ini file)
Collect-Artifact -SourceDir "C:" -FileMask "WinSCP.ini" -FolderName "WinSCP_ini_file"
# 3. Robo-FTP User Scripts
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Scripts" -FileMask "*.s" -FolderName "Robo_FTP_User_Scripts"
# 4. Robo-FTP User Debug Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Debug" -FileMask "*.log" -FolderName "Robo_FTP_User_Debug_Logs"
# 5. Robo-FTP User Script/Trace Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Logs" -FileMask "*" -FolderName "Robo_FTP_User_Script_Trace_Logs"
# 6. Robo-FTP User XML Config
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*" -FileMask "config.xml" -FolderName "Robo_FTP_User_XML_Config"
# 7. Robo-FTP User SSH Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\SSH Keys" -FileMask "*" -FolderName "Robo_FTP_User_SSH_Keys"
# 8. Robo-FTP User SSL Certificates
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates" -FileMask "*" -FolderName "Robo_FTP_User_SSL_Certificates"
# 9. Robo-FTP User PGP Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\PGP Keys" -FileMask "*" -FolderName "Robo_FTP_User_PGP_Keys"
# 10. Robo-FTP SSH Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\SSH Keys" -FileMask "*" -FolderName "Robo_FTP_SSH_Keys"
# 11. Robo-FTP SSL Certificates
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates" -FileMask "*" -FolderName "Robo_FTP_SSL_Certificates"
# 12. Robo-FTP PGP Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\PGP Keys" -FileMask "*" -FolderName "Robo_FTP_PGP_Keys"
# 13. Robo-FTP Debug Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\Debug" -FileMask "*" -FolderName "Robo_FTP_Debug_Logs"
# 14. Robo-FTP Script/Trace Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\Logs" -FileMask "*" -FolderName "Robo_FTP_Script_Trace_Logs"
# 15. Robo-FTP XML Config
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData" -FileMask "config.xml" -FolderName "Robo_FTP_XML_Config"
# 16. Robo-FTP Jobs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData" -FileMask "SchedulerService.sqlite" -FolderName "Robo_FTP_Jobs"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# FileZilla XML Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla"
Collect-Artifact -SourceDir $UserPath -FileMask "*.xml*" -FolderName "FileZilla_XML_Log_Files_$UserName"
# FileZilla SQLite3 Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla"
Collect-Artifact -SourceDir $UserPath -FileMask "*.sqlite3*" -FolderName "FileZilla_SQLite3_Log_Files_$UserName"
# FileZilla Server XML Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla Server"
Collect-Artifact -SourceDir $UserPath -FileMask "*.xml*" -FolderName "FileZilla_Server_XML_Log_Files_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 4 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
notes
For those looking for ideas to contribute to this Compound Target, check here: https://en.wikipedia.org/wiki/Comparison_of_FTP_client_software.
Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.
Also consider the FileExplorerReplacements Target given that a lot of those aplications have FTP features