dfirhub

ISLOnline

Appsv1

Author: Thomas Burnette

description

ISLOnline Remote Access Tool

paths

8 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: ISLOnline
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. ISLOnline Logs - Sessions - *.out
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ISL Online Cache\ISL Light Client\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "ISLClient.out" -FolderName "ISLOnline_Logs___Sessions_____out"

# 2. ISLOnline Logs - Session Configurations
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ISL Online Cache\ISL Light Client\*\conf\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*" -FolderName "ISLOnline_Logs___Session_Configurations"

# 3. ISL AlwaysOn Logs - Sessions List
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\" -FileMask "session.xml" -FolderName "ISL_AlwaysOn_Logs___Sessions_List"

# 4. ISL AlwaysOn Logs - Sessions
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\" -FileMask "trace.out" -FolderName "ISL_AlwaysOn_Logs___Sessions"

# 5. ISL AlwaysOn - App Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\" -FileMask "*.out" -FolderName "ISL_AlwaysOn___App_Logs"

# 6. ISL Light Logs - Sessions
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ISL Online Cache\ISL Light\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "trace.out" -FolderName "ISL_Light_Logs___Sessions"

# 7. ISL AlwaysOn - Email Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status\" -FileMask "tray" -FolderName "ISL_AlwaysOn___Email_Configuration"

# 8. ISL AlwaysOn - Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\" -FileMask "StaticConfiguration.ini" -FolderName "ISL_AlwaysOn___Configuration"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

included in collections

SANS_Triage KapeTriage RemoteAdmin