$J
Windowsv1.1
Author: Eric Zimmerman and Andrew Rathbun
description
$J
paths
4 paths
FileSystem$J
C:\$Extend\$UsnJrnl:$JFileSystem$Max
C:\$Extend\$UsnJrnl:$MaxFileSystem$J
C:\$Extend\$JThis is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
FileSystem$Max
C:\$Extend\$MaxThis is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Targets are looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: $J
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. $J
Collect-Artifact -SourcePath "C:\$Extend\\$UsnJrnl:$J" -FolderName "_J"
# 2. $Max
Collect-Artifact -SourcePath "C:\$Extend\\$UsnJrnl:$Max" -FolderName "_Max"
# 3. $J
Collect-Artifact -SourcePath "C:\$Extend\\$J" -FolderName "_J"
# 4. $Max
Collect-Artifact -SourcePath "C:\$Extend\\$Max" -FolderName "_Max"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1