dfirhub

$J

Windowsv1.1

Author: Eric Zimmerman and Andrew Rathbun

description

$J

paths

4 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: $J
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. $J
Collect-Artifact -SourceDir "C:\$Extend\" -FileMask "$UsnJrnl:$J" -FolderName "_J"

# 2. $Max
Collect-Artifact -SourceDir "C:\$Extend\" -FileMask "$UsnJrnl:$Max" -FolderName "_Max"

# 3. $J
Collect-Artifact -SourceDir "C:\$Extend\" -FileMask "$J" -FolderName "_J"

# 4. $Max
Collect-Artifact -SourceDir "C:\$Extend\" -FileMask "$Max" -FolderName "_Max"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

included in collections

BasicCollection SANS_Triage FileSystem KapeTriage MiniTimelineCollection SOFELK