KapeTriage
Compoundv4.2
Author: Scott Downie
description
KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, Notepad unsaved sessions (Win11), 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files.
includes (115)
paths
1110 pathsfrom 115 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: KapeTriage
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Avast AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log" -FolderName "Avast_AV_Logs_XP"
# 2. Avast AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Avast\Log" -FolderName "Avast_AV_Logs"
# 3. Avast AV Index
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Avast\Chest" -FileMask "index.xml" -FolderName "Avast_AV_Index"
# 4. Avast Persistent Data Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Persistent Data\Avast\Logs" -FolderName "Avast_Persistent_Data_Logs"
# 5. Avast Icarus Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Icarus\Logs" -FolderName "Avast_Icarus_Logs"
# 6. AVG AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\log" -FolderName "AVG_AV_Logs_XP"
# 7. AVG AV Report Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\report" -FolderName "AVG_AV_Report_Logs_XP"
# 8. AVG AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus\log" -FolderName "AVG_AV_Logs"
# 9. AVG Report Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus\report" -FolderName "AVG_Report_Logs"
# 10. AVG Persistent Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Persistent Data\Antivirus\Logs" -FolderName "AVG_Persistent_Logs"
# 11. AVG FileInfo DB
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus" -FileMask "FileInfo2.db" -FolderName "AVG_FileInfo_DB"
# 12. AVG lsdbj2 JSON
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus" -FileMask "lsdb2.json" -FolderName "AVG_lsdbj2_JSON"
# 13. Avira Activity Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\Antivirus\LOGFILES" -FolderName "Avira_Activity_Logs"
# 14. Avira Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\Security\Logs" -FolderName "Avira_Security_Logs"
# 15. Avira VPN Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\VPN" -FolderName "Avira_VPN_Logs"
# 16. Bitdefender Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Bitdefender\Endpoint Security\Logs" -FolderName "Bitdefender_Endpoint_Security_Logs"
# 17. Bitdefender Internet Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Bitdefender\Desktop\Profiles\Logs" -FolderName "Bitdefender_Internet_Security_Logs"
# 18. Bitdefender SQLite DB Files
Collect-Artifact -SourceDir "C:\Program Files*\Bitdefender*" -FileMask "regex:*.+\.(db|db-wal|db-shm)" -FolderName "Bitdefender_SQLite_DB_Files"
# 19. ComboFix
Collect-Artifact -SourceDir "C:" -FileMask "ComboFix.txt" -FolderName "ComboFix"
# 20. CrowdStrike Falcon Quarantined File
Collect-Artifact -SourceDir "C:\Windows\System32\Drivers\CrowdStrike\Quarantine" -FolderName "CrowdStrike_Falcon_Quarantined_File"
# 21. Cybereason Anti-Ransomware Logs
Collect-Artifact -SourceDir "C:\ProgramData\crs1\Logs" -FolderName "Cybereason_Anti_Ransomware_Logs"
# 22. Cybereason Sensor Communications and Anti-Malware Logs
Collect-Artifact -SourceDir "C:\ProgramData\apv2\Logs" -FolderName "Cybereason_Sensor_Communications_and_Anti_Malware_Logs"
# 23. Cybereason Application Control and NGAV Logs
Collect-Artifact -SourceDir "C:\ProgramData\crb1\Logs" -FolderName "Cybereason_Application_Control_and_NGAV_Logs"
# 24. Cylance ProgramData Logs
Collect-Artifact -SourceDir "C:\ProgramData\Cylance\Desktop" -FolderName "Cylance_ProgramData_Logs"
# 25. Cylance Optics Logs
Collect-Artifact -SourceDir "C:\ProgramData\Cylance\Optics\Log" -FolderName "Cylance_Optics_Logs"
# 26. Cylance Program Files Logs
Collect-Artifact -SourceDir "C:\Program Files\Cylance\Desktop\log" -FolderName "Cylance_Program_Files_Logs"
# 27. Elastic Defend Logs
Collect-Artifact -SourceDir "C:\Program Files\Elastic\Endpoint\state\log" -FileMask "*.log" -FolderName "Elastic_Defend_Logs"
# 28. Elastic Defend Quarantine
Collect-Artifact -SourceDir "C:\.equarantine" -FileMask "*" -FolderName "Elastic_Defend_Quarantine"
# 29. Elastic Defend Quarantine
Collect-Artifact -SourceDir "C:\Program Files\Elastic\Endpoint\state\.equarantine" -FileMask "*" -FolderName "Elastic_Defend_Quarantine"
# 30. Emsisoft Scan Logs
Collect-Artifact -SourceDir "C:\ProgramData\Emsisoft\Reports" -FileMask "scan*.txt" -FolderName "Emsisoft_Scan_Logs"
# 31. ESET NOD32 AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs" -FolderName "ESET_NOD32_AV_Logs_XP"
# 32. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs" -FolderName "ESET_NOD32_AV_Logs"
# 33. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET Security\Logs" -FolderName "ESET_NOD32_AV_Logs"
# 34. ESET Remote Administrator Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs" -FolderName "ESET_Remote_Administrator_Logs"
# 35. SYSTEM user quarantine
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine" -FolderName "SYSTEM_user_quarantine"
# 36. F-Secure Logs
Collect-Artifact -SourceDir "C:\ProgramData\F-Secure\Log" -FolderName "F_Secure_Logs"
# 37. F-Secure Scheduled Scan Reports
Collect-Artifact -SourceDir "C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports" -FolderName "F_Secure_Scheduled_Scan_Reports"
# 38. HitmanPro Logs
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro\Logs" -FolderName "HitmanPro_Logs"
# 39. HitmanPro Alert Logs
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro.Alert\Logs" -FolderName "HitmanPro_Alert_Logs"
# 40. HitmanPro Database
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro.Alert" -FileMask "excalibur.db" -FolderName "HitmanPro_Database"
# 41. HitmanPro Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro\Quarantine" -FolderName "HitmanPro_Quarantine"
# 42. MalwareBytes Anti-Malware Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs" -FileMask "mbam-log-*.xml" -FolderName "MalwareBytes_Anti_Malware_Logs"
# 43. MalwareBytes Anti-Malware Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\MBAMService\logs" -FileMask "mbamservice.log*" -FolderName "MalwareBytes_Anti_Malware_Service_Logs"
# 44. MalwareBytes Anti-Malware Scan Results Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\MBAMService\ScanResults" -FolderName "MalwareBytes_Anti_Malware_Scan_Results_Logs"
# 45. McAfee Desktop Protection Logs XP
Collect-Artifact -SourceDir "C:\Users\All Users\Application Data\McAfee\DesktopProtection" -FolderName "McAfee_Desktop_Protection_Logs_XP"
# 46. McAfee Desktop Protection Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\DesktopProtection" -FolderName "McAfee_Desktop_Protection_Logs"
# 47. McAfee Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs" -FolderName "McAfee_Endpoint_Security_Logs"
# 48. McAfee Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs_Old" -FolderName "McAfee_Endpoint_Security_Logs"
# 49. McAfee VirusScan Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\VirusScan" -FolderName "McAfee_VirusScan_Logs"
# 50. McAfee MSC Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\MSC\Logs" -FolderName "McAfee_MSC_Logs"
# 51. McAfee Agent Events
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Agent\AgentEvents" -FolderName "McAfee_Agent_Events"
# 52. McAfee Agent Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Agent\logs" -FolderName "McAfee_Agent_Logs"
# 53. McAfee Data Reputation Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\datareputation\Logs" -FolderName "McAfee_Data_Reputation_Logs"
# 54. McAfee Managed VirusScan
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Managed\VirusScan\Logs" -FolderName "McAfee_Managed_VirusScan"
# 55. McAfee Agent Events XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents" -FolderName "McAfee_Agent_Events_XP"
# 56. McAfee MC Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\SAE" -FolderName "McAfee_MC_Logs_XP"
# 57. McAfee Data Reputation Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\datreputation\Logs" -FolderName "McAfee_Data_Reputation_Logs_XP"
# 58. McAfee Managed VirusScan Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\Managed\VirusScan\Logs" -FolderName "McAfee_Managed_VirusScan_Logs_XP"
# 59. McAfee WCF Service Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\DLP\WCF Service\Log" -FolderName "McAfee_WCF_Service_Logs"
# 60. McAfee ePO Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs" -FolderName "McAfee_ePO_Logs"
# 61. McAfee ePO Apache Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\Logs" -FolderName "McAfee_ePO_Apache_Logs"
# 62. McAfee ePO DB Events
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events" -FolderName "McAfee_ePO_DB_Events"
# 63. McAfee ePO DB Debug Events
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\Debug" -FolderName "McAfee_ePO_DB_Debug_Events"
# 64. McAfee ePO Server Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs" -FolderName "McAfee_ePO_Server_Logs"
# 65. Windows Safety Scanner Logs
Collect-Artifact -SourceDir "C:\Windows\Debug" -FileMask "msert.log" -FolderName "Windows_Safety_Scanner_Logs"
# 66. RogueKiller Reports
Collect-Artifact -SourceDir "C:\ProgramData\RogueKiller\logs" -FileMask "AdliceReport_*.json" -FolderName "RogueKiller_Reports"
# 67. SecureAge Antvirus Logs
Collect-Artifact -SourceDir "C:\ProgramData\SecureAge Technology\SecureAge\log" -FolderName "SecureAge_Antvirus_Logs"
# 68. SentinelOne EDR Log
Collect-Artifact -SourceDir "C:\programdata\sentinel\logs" -FolderName "SentinelOne_EDR_Log"
# 69. Sophos Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs" -FolderName "Sophos_Logs_XP"
# 70. Sophos Logs
Collect-Artifact -SourceDir "C:\ProgramData\Sophos\*\Logs" -FolderName "Sophos_Logs"
# 71. Sophos Logs
Collect-Artifact -SourceDir "C:\ProgramData\Sophos\Logs" -FolderName "Sophos_Logs"
# 72. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"
# 73. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"
# 74. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"
# 75. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"
# 76. Symantec Endpoint Protection Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV" -FolderName "Symantec_Endpoint_Protection_Logs_XP"
# 77. Symantec Endpoint Protection Logs
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs" -FolderName "Symantec_Endpoint_Protection_Logs"
# 78. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"
# 79. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"
# 80. Symantec Endpoint Protection Quarantine (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine_XP"
# 81. Symantec Endpoint Protection Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine"
# 82. ccSubSDK Database
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK" -FolderName "ccSubSDK_Database"
# 83. registrationInfo.xml
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data" -FileMask "registrationInfo.xml" -FolderName "registrationInfo_xml"
# 84. TotalAV Logs
Collect-Artifact -SourceDir "C:\Program Files*\TotalAV\logs" -FolderName "TotalAV_Logs"
# 85. TotalAV Logs
Collect-Artifact -SourceDir "C:\ProgramData\TotalAV\logs" -FolderName "TotalAV_Logs"
# 86. Trend Micro Logs
Collect-Artifact -SourceDir "C:\ProgramData\Trend Micro" -FolderName "Trend_Micro_Logs"
# 87. Trend Micro Security Agent Report Logs
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\Security Agent\Report" -FileMask "*.log" -FolderName "Trend_Micro_Security_Agent_Report_Logs"
# 88. Trend Micro Security Agent Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\Security Agent\ConnLog" -FileMask "*.log" -FolderName "Trend_Micro_Security_Agent_Connection_Logs"
# 89. Trend Micro Quarantine
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\*\Quarantine" -FileMask "*" -FolderName "Trend_Micro_Quarantine"
# 90. VIPRE Business Agent Logs
Collect-Artifact -SourceDir "C:\ProgramData\VIPRE Business Agent\Logs" -FolderName "VIPRE_Business_Agent_Logs"
# 91. Webroot Program Data
Collect-Artifact -SourceDir "C:\ProgramData\WRData" -FileMask "WRLog.log" -FolderName "Webroot_Program_Data"
# 92. Windows Defender Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Microsoft AntiMalware\Support" -FolderName "Windows_Defender_Logs"
# 93. Windows Defender Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\Logs" -FileMask "Microsoft-Windows-Windows Defender*.evtx" -FolderName "Windows_Defender_Event_Logs"
# 94. Windows Defender Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\Logs" -FileMask "Microsoft-Windows-Windows Defender*.evtx" -FolderName "Windows_Defender_Event_Logs"
# 95. Windows Defender Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Support" -FolderName "Windows_Defender_Logs"
# 96. Windows Defender Logs
Collect-Artifact -SourceDir "C:\Windows\Temp" -FileMask "MpCmdRun.log" -FolderName "Windows_Defender_Logs"
# 97. Windows Defender Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Temp" -FileMask "MpCmdRun.log" -FolderName "Windows_Defender_Logs"
# 98. DetectionHistory
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*" -FolderName "DetectionHistory"
# 99. Windows Defender Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Quarantine" -FolderName "Windows_Defender_Quarantine"
# 100. Windows Defender Detections.log
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" -FileMask "Detections.log" -FolderName "Windows_Defender_Detections_log"
# 101. Rclone config - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_Folder"
# 102. Rclone config - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_User_Folder"
# 103. Rclone config - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask ".rclone.conf" -FolderName "Rclone_config_LocalService_User_Folder"
# 104. Rclone config - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask ".rclone.conf" -FolderName "Rclone_config_NetworkService_User_Folder"
# 105. Rclone config - SYSTEM SysWOW64 User .config Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder"
# 106. Rclone config - SYSTEM User .config Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder"
# 107. Rclone config - LocalService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder"
# 108. Rclone config - NetworkService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder"
# 109. Rclone config - SYSTEM SysWOW64 User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_XDG_CONFIG_HOME_Default"
# 110. Rclone config - SYSTEM User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_XDG_CONFIG_HOME_Default"
# 111. Rclone config - LocalService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 112. Rclone config - NetworkService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 113. Rclone config - SYSTEM SysWOW64 User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_Roaming"
# 114. Rclone config - SYSTEM User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_Roaming"
# 115. Rclone config - LocalService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_Roaming"
# 116. Rclone config - NetworkService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_Roaming"
# 117. Rclone config - SysWOW64 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\SysWOW64" -FileMask "rclone.conf" -FolderName "Rclone_config_SysWOW64_Sideloaded_Config"
# 118. Rclone config - System32 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\System32" -FileMask "rclone.conf" -FolderName "Rclone_config_System32_Sideloaded_Config"
# 119. Rclone config - Windows Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows" -FileMask "rclone.conf" -FolderName "Rclone_config_Windows_Sideloaded_Config"
# 120. Rclone config - Recursive
Collect-Artifact -SourceDir "C:" -FileMask "rclone.conf" -FolderName "Rclone_config_Recursive"
# 121. Rclone config fallback - Recursive
Collect-Artifact -SourceDir "C:" -FileMask ".rclone.conf" -FolderName "Rclone_config_fallback_Recursive"
# 122. Event logs XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "*.evt" -FolderName "Event_logs_XP"
# 123. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"
# 124. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"
# 125. Amcache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 126. Amcache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 127. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 128. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 129. AppCompat PCA Folder
Collect-Artifact -SourceDir "C:\Windows\appcompat\pca" -FolderName "AppCompat_PCA_Folder"
# 130. Prefetch
Collect-Artifact -SourceDir "C:\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 131. Prefetch
Collect-Artifact -SourceDir "C:\Windows.old\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 132. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 133. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 134. Syscache
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve" -FolderName "Syscache"
# 135. Syscache transaction files
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve.LOG*" -FolderName "Syscache_transaction_files"
# 136. $MFT
Collect-Artifact -SourceDir "C:" -FileMask "$MFT" -FolderName "MFT"
# 137. $LogFile
Collect-Artifact -SourceDir "C:" -FileMask "$LogFile" -FolderName "LogFile"
# 138. $J
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$UsnJrnl:$J" -FolderName "J"
# 139. $Max
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$UsnJrnl:$Max" -FolderName "Max"
# 140. $J
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$J" -FolderName "J"
# 141. $Max
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$Max" -FolderName "Max"
# 142. $SDS
Collect-Artifact -SourceDir "C:" -FileMask "$Secure:$SDS" -FolderName "SDS"
# 143. $SDS
Collect-Artifact -SourceDir "C:" -FileMask "$Secure_$SDS" -FolderName "SDS"
# 144. $Boot
Collect-Artifact -SourceDir "C:" -FileMask "$Boot" -FolderName "Boot"
# 145. $T
Collect-Artifact -SourceDir "C:\$Extend\$RmMetadata\$TxfLog" -FileMask "$Tops:$T" -FolderName "T"
# 146. $T
Collect-Artifact -SourceDir "C:\$Extend\$RmMetadata\$TxfLog" -FileMask "$T" -FolderName "T"
# 147. Restore point LNK Files XP
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*" -FileMask "*.LNK" -FolderName "Restore_point_LNK_Files_XP"
# 148. LNK Files from C:\ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" -FileMask "*.LNK" -FolderName "LNK_Files_from_C_ProgramData"
# 149. PowerShell Console Log Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_Systemprofile"
# 150. PowerShell Console Log WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_WOW64_Systemprofile"
# 151. Recycle Bin - Windows Vista+
Collect-Artifact -SourceDir "C:\$Recycle.Bin" -FileMask "$I*" -FolderName "Recycle_Bin_Windows_Vista"
# 152. RECYCLER - WinXP
Collect-Artifact -SourceDir "C:\RECYCLE*" -FileMask "INFO2" -FolderName "RECYCLER_WinXP"
# 153. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 154. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 155. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 156. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 157. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 158. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 159. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 160. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 161. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 162. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 163. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 164. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 165. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 166. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 167. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 168. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 169. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 170. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 171. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 172. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 173. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 174. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 175. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 176. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 177. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 178. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 179. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 180. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 181. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 182. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 183. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 184. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 185. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 186. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 187. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 188. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 189. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 190. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 191. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 192. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 193. System Restore Points Registry Hives (XP)
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*\snapshot" -FileMask "_REGISTRY_*" -FolderName "System_Restore_Points_Registry_Hives_XP"
# 194. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 195. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 196. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 197. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 198. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Program Files\WindowsApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# 199. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Windows\SystemApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# 200. Action1 Client Application logs
Collect-Artifact -SourceDir "C:\Windows\Action1\logs" -FileMask "*.log" -FolderName "Action1_Client_Application_logs"
# 201. Ammyy Program Data
Collect-Artifact -SourceDir "C:\ProgramData\Ammyy" -FolderName "Ammyy_Program_Data"
# 202. AnyDesk Logs - ProgramData - *.trace
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.trace" -FolderName "AnyDesk_Logs_ProgramData_trace"
# 203. AnyDesk Logs - ProgramData - *.conf
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.conf" -FolderName "AnyDesk_Logs_ProgramData_conf"
# 204. AnyDesk Logs - ProgramData - connection_trace.txt
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_ProgramData_connection_trace_txt"
# 205. AnyDesk Logs - System User Account
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk" -FolderName "AnyDesk_Logs_System_User_Account"
# 206. AnyDesk File Transfer Logs - Installed as a Service
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Installed_as_a_Service"
# 207. DWAgent Log Files
Collect-Artifact -SourceDir "C:\ProgramData\DWAgent*" -FileMask "*.log*" -FolderName "DWAgent_Log_Files"
# 208. ISL AlwaysOn Logs - Sessions List
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "session.xml" -FolderName "ISL_AlwaysOn_Logs_Sessions_List"
# 209. ISL AlwaysOn Logs - Sessions
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*" -FileMask "trace.out" -FolderName "ISL_AlwaysOn_Logs_Sessions"
# 210. ISL AlwaysOn - App Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "*.out" -FolderName "ISL_AlwaysOn_App_Logs"
# 211. ISL AlwaysOn - Email Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status" -FileMask "tray" -FolderName "ISL_AlwaysOn_Email_Configuration"
# 212. ISL AlwaysOn - Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "StaticConfiguration.ini" -FolderName "ISL_AlwaysOn_Configuration"
# 213. ITarian
Collect-Artifact -SourceDir "C:\Program Files\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 214. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 215. Comodo
Collect-Artifact -SourceDir "C:\Program Files\Comodo\Endpoint Manager\rmmlogs" -FolderName "Comodo"
# 216. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 217. Kaseya Agent Endpoint Service Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs_XP"
# 218. Kaseya Agent Endpoint Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs"
# 219. Kaseya Agent Service Log
Collect-Artifact -SourceDir "C:\Program Files*\Kaseya\*" -FileMask "agentmon.log*" -FolderName "Kaseya_Agent_Service_Log"
# 220. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"
# 221. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"
# 222. Kaseya Agent Edge Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\KaseyaEdgeServices" -FolderName "Kaseya_Agent_Edge_Service_Logs"
# 223. Level RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Level" -FileMask "*.log" -FolderName "Level_RMM_Client_Application_logs"
# 224. LogMeIn ProgramData Logs
Collect-Artifact -SourceDir "C:\ProgramData\LogMeIn\Logs" -FolderName "LogMeIn_ProgramData_Logs"
# 225. MeshAgent .msh (configuration) file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.msh" -FolderName "MeshAgent_msh_configuration_file"
# 226. MeshAgent log file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.log" -FolderName "MeshAgent_log_file"
# 227. Net Monitor Server Data
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\data" -FolderName "Net_Monitor_Server_Data"
# 228. Net Monitor Server Config
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Server_Config"
# 229. Net Monitor Server Temp Folder
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\tmp" -FolderName "Net_Monitor_Server_Temp_Folder"
# 230. Net Monitor Client Logs
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\log" -FolderName "Net_Monitor_Client_Logs"
# 231. Net Monitor Client Config
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Client_Config"
# 232. Radmin Server 32bit Log
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_32bit_Log"
# 233. Radmin Server 64bit Log
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_64bit_Log"
# 234. Radmin Server 32bit Chats
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_32bit_Chats"
# 235. Radmin Server 64bit Chats
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_64bit_Chats"
# 236. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"
# 237. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"
# 238. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"
# 239. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"
# 240. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"
# 241. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"
# 242. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"
# 243. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"
# 244. Remco RAT Default path
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_Default_path"
# 245. Remco RAT custom path - AppData screenshots folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots_folder"
# 246. Remco RAT custom path - AppData notess folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess_folder"
# 247. Remco RAT custom path - AppData micrecords folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords_folder"
# 248. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"
# 249. Remco RAT custom path
Collect-Artifact -SourceDir "C:\ProgramData\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path"
# 250. Remco RAT custom path - AppData notess
Collect-Artifact -SourceDir "C:\ProgramData\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess"
# 251. Remco RAT custom path - AppData screenshots
Collect-Artifact -SourceDir "C:\ProgramData\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots"
# 252. Remco RAT custom path - AppData micrecords
Collect-Artifact -SourceDir "C:\ProgramData\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords"
# 253. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\ProgramData\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"
# 254. Remote Manipulator System Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Manipulator System - Host\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs"
# 255. Remote Manipulator System Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs_in_ProgramData"
# 256. Remote Manipulator System Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System" -FileMask "install.log" -FolderName "Remote_Manipulator_System_Install_Log"
# 257. RemoteUtilities Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Utilities - Host\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs"
# 258. RemoteUtilities Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs_in_ProgramData"
# 259. RemoteUtilities Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities" -FileMask "install.log" -FolderName "RemoteUtilities_Install_Log"
# 260. RustDesk logs
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server" -FolderName "RustDesk_logs"
# 261. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "Session.db" -FolderName "ScreenConnect_Session_Database"
# 262. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "User.xml" -FolderName "ScreenConnect_Session_Database"
# 263. ScreenConnect User Config
Collect-Artifact -SourceDir "C:\ProgramData\ScreenConnect Client*" -FileMask "user.config" -FolderName "ScreenConnect_User_Config"
# 264. Splashtop Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Server\log" -FolderName "Splashtop_Log_Files"
# 265. Splashtop Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Temp\log" -FolderName "Splashtop_Log_Files_in_ProgramData"
# 266. Splashtop Gateway Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Splashtop Gateway\log" -FolderName "Splashtop_Gateway_Log_Files"
# 267. Splashtop Enterprise/Business(legacy) Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Splashtop Remote Client for ST*\*\log" -FolderName "Splashtop_Enterprise_Business_legacy_Log_Files_in_ProgramData"
# 268. Supremo Connection Logs
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Log" -FileMask "*.log" -FolderName "Supremo_Connection_Logs"
# 269. Supremo File Transfer Inbox
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Inbox" -FolderName "Supremo_File_Transfer_Inbox"
# 270. TeamViewer Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "connections*.txt" -FolderName "TeamViewer_Connection_Logs"
# 271. TeamViewer Application Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_Logs"
# 272. Unified endpoint management and security solutions from ManageEngine
Collect-Artifact -SourceDir "C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs" -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine"
# 273. UltraViewer System Logs
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer" -FolderName "UltraViewer_System_Logs"
# 274. UltraViewer Service Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "UltraViewerService_log.txt" -FolderName "UltraViewer_Service_Log"
# 275. UltraViewer Connection Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "ConnectionLog.Log" -FolderName "UltraViewer_Connection_Log"
# 276. RealVNC Viewer Log
Collect-Artifact -SourceDir "C:\Users\*\AppData\Local\RealVNC" -FileMask "vncviewer.log" -FolderName "RealVNC_Viewer_Log"
# 277. RealVNC Log
Collect-Artifact -SourceDir "C:\ProgramData\RealVNC-Service" -FileMask "vncserver.log" -FolderName "RealVNC_Log"
# 278. TightVNC Application Logs
Collect-Artifact -SourceDir "C:\ProgramData\TightVNC\Server\Logs" -FolderName "TightVNC_Application_Logs"
# 279. Xeox RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Xeox" -FileMask "*.log" -FolderName "Xeox_RMM_Client_Application_logs"
# 280. Zoho Assist log files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting\log" -FolderName "Zoho_Assist_log_files_in_ProgramData"
# 281. Zoho Assist .conf files
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files"
# 282. Zoho Assist log files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs" -FolderName "Zoho_Assist_log_files_in_Program_Files"
# 283. Zoho Assist .conf files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_Program_Files"
# 284. Zoho Assist .txt files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.txt" -FolderName "Zoho_Assist_txt_files_in_Program_Files"
# 285. at .job
Collect-Artifact -SourceDir "C:\Windows\Tasks" -FileMask "*.job" -FolderName "at_job"
# 286. at .job
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Tasks" -FileMask "*.job" -FolderName "at_job"
# 287. at SchedLgU.txt
Collect-Artifact -SourceDir "C:\Windows" -FileMask "SchedLgU.txt" -FolderName "at_SchedLgU_txt"
# 288. at SchedLgU.txt
Collect-Artifact -SourceDir "C:\Windows.old\Windows" -FileMask "SchedLgU.txt" -FolderName "at_SchedLgU_txt"
# 289. XML
Collect-Artifact -SourceDir "C:\Windows\System32\Tasks" -FolderName "XML"
# 290. XML
Collect-Artifact -SourceDir "C:\Windows\syswow64\Tasks" -FolderName "XML"
# 291. XML
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\Tasks" -FolderName "XML"
# 292. PowerShell Scheduled_Jobs Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs" -FolderName "PowerShell_Scheduled_Jobs_Systemprofile"
# 293. PowerShell Scheduled_Jobs Output Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*" -FolderName "PowerShell_Scheduled_Jobs_Output_Systemprofile"
# 294. PowerShell Scheduled_Jobs WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs" -FolderName "PowerShell_Scheduled_Jobs_WOW64_Systemprofile"
# 295. PowerShell Scheduled_Jobs Output WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*" -FolderName "PowerShell_Scheduled_Jobs_Output_WOW64_Systemprofile"
# 296. SRUM
Collect-Artifact -SourceDir "C:\Windows\System32\SRU" -FolderName "SRUM"
# 297. SRUM
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\SRU" -FolderName "SRUM"
# 298. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 299. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 300. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 301. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 302. SUM Database (.mdb files)
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\SUM" -FolderName "SUM_Database_mdb_files"
# 303. WER Files
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\WER" -FolderName "WER_Files"
# 304. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"
# 305. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows.old\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"
# 306. WBEM
Collect-Artifact -SourceDir "C:\Windows\System32\wbem\Repository" -FolderName "WBEM"
# 307. WBEM
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\wbem\Repository" -FolderName "WBEM"
# 308. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# 309. SYSTEM Chrome Beta History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Beta\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Beta_History"
# 310. SYSTEM Chrome Dev History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Dev\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Dev_History"
# 311. SYSTEM Chrome SxS History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome SxS\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_SxS_History"
# 312. SYSTEM Chromium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Chromium\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chromium_History"
# 313. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# 314. SYSTEM Supermium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Supermium\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Supermium_History"
# 315. SYSTEM WaveBrowser History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\WaveBrowser\User Data\*" -FileMask "History*" -FolderName "SYSTEM_WaveBrowser_History"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Avast AV User Logs
$UserPath = "$($_.FullName)\Avast Software\Avast\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "Avast_AV_User_Logs_$UserName"
# Local User Quarantine
$UserPath = "$($_.FullName)\AppData\Local\ESET\ESET Security\Quarantine"
Collect-Artifact -SourceDir $UserPath -FolderName "Local_User_Quarantine_$UserName"
# F-Secure User Logs
$UserPath = "$($_.FullName)\AppData\Local\F-Secure\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "F_Secure_User_Logs_$UserName"
# MalwareBytes Anti-Malware Scan Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "MalwareBytes_Anti_Malware_Scan_Logs_$UserName"
# SUPERAntiSpyware Logs
$UserPath = "$($_.FullName)\AppData\Roaming\SUPERAntiSpyware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "SUPERAntiSpyware_Logs_$UserName"
# Symantec Endpoint Protection User Logs
$UserPath = "$($_.FullName)\AppData\Local\Symantec\Symantec Endpoint Protection\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Symantec_Endpoint_Protection_User_Logs_$UserName"
# VIPRE Business User Logs (v7+)
$UserPath = "$($_.FullName)\AppData\Roaming\VIPRE Business"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_v7_$UserName"
# VIPRE Business User Logs (v5-v6)
$UserPath = "$($_.FullName)\AppData\Roaming\GFI Software\AntiMalware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_v5_v6_$UserName"
# VIPRE Business User Logs (up to v4)
$UserPath = "$($_.FullName)\AppData\Roaming\Sunbelt Software\AntiMalware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_up_to_v4_$UserName"
# Box Drive Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box\Box"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Drive_Application_Metadata_$UserName"
# Box Sync Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box Sync"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Sync_Application_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "info.json" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\machine_storage"
Collect-Artifact -SourceDir $UserPath -FileMask "tray-thumbnails.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\instance*"
Collect-Artifact -SourceDir $UserPath -FolderName "Dropbox_Metadata_$UserName"
# Google Drive Backup and Sync Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_Backup_and_Sync_Metadata_$UserName"
# Google Drive for Desktop Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\DriveFS"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_for_Desktop_Metadata_$UserName"
# MegaSync Folder
$UserPath = "$($_.FullName)\AppData\Local\Mega Limited\MEGAsync"
Collect-Artifact -SourceDir $UserPath -FolderName "MegaSync_Folder_$UserName"
# OneDrive User Profile
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\OneDrive"
Collect-Artifact -SourceDir $UserPath -FolderName "OneDrive_User_Profile_$UserName"
# Rclone config - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask ".rclone.conf" -FolderName "Rclone_config_User_Folder_$UserName"
# Rclone config - User .config Folder
$UserPath = "$($_.FullName)\.config\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_$UserName"
# Rclone config - User config Folder - XDG_CONFIG_HOME Default
$UserPath = "$($_.FullName)\AppData\Local\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_XDG_CONFIG_HOME_Default_$UserName"
# Rclone config - User config Folder - Roaming
$UserPath = "$($_.FullName)\AppData\Roaming\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_Roaming_$UserName"
# FreeFileSync
$UserPath = "$($_.FullName)\AppData\Roaming\FreeFileSync\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "FreeFileSync_$UserName"
# LNK Files from Recent
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_$UserName"
# LNK Files from Microsoft Office Recent
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Microsoft_Office_Recent_$UserName"
# Start Menu LNK Files
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Start_Menu_LNK_Files_$UserName"
# LNK Files from Recent (XP)
$UserPath = "$($_.FullName)\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_XP_$UserName"
# Desktop LNK Files XP
$UserPath = "$($_.FullName)\Desktop"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_XP_$UserName"
# Desktop LNK Files
$UserPath = "$($_.FullName)\Desktop"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_$UserName"
# Notepad++ Unsaved Edits
$UserPath = "$($_.FullName)\AppData\Roaming\Notepad++\backup"
Collect-Artifact -SourceDir $UserPath -FolderName "Notepad_Unsaved_Edits_$UserName"
# Notepad++ Config
$UserPath = "$($_.FullName)\AppData\Roaming\Notepad++"
Collect-Artifact -SourceDir $UserPath -FileMask "config.xml" -FolderName "Notepad_Config_$UserName"
# Notepad++ Session
$UserPath = "$($_.FullName)\AppData\Roaming\Notepad++"
Collect-Artifact -SourceDir $UserPath -FileMask "session.xml" -FolderName "Notepad_Session_$UserName"
# PowerShell Console Log
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"
Collect-Artifact -SourceDir $UserPath -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_$UserName"
# PowerShell ISE - AutoSave Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles"
Collect-Artifact -SourceDir $UserPath -FileMask "*.ps1" -FolderName "PowerShell_ISE_AutoSave_Files_$UserName"
# PowerShell ISE - User Config
$UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "*.config" -FolderName "PowerShell_ISE_User_Config_$UserName"
# NTUSER.DAT registry hive XP
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_XP_$UserName"
# NTUSER.DAT registry hive
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_$UserName"
# NTUSER.DAT registry transaction files
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT.LOG*" -FolderName "NTUSER_DAT_registry_transaction_files_$UserName"
# UsrClass.dat registry hive
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat*" -FolderName "UsrClass_dat_registry_hive_$UserName"
# UsrClass.dat registry transaction files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat.LOG*" -FolderName "UsrClass_dat_registry_transaction_files_$UserName"
# Registry.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive_$UserName"
# settings.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\Settings"
Collect-Artifact -SourceDir $UserPath -FileMask "settings.dat*" -FolderName "settings_dat_MSIX_Hive_$UserName"
# User.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "User.dat*" -FolderName "User_dat_MSIX_Hive_$UserName"
# UserClasses.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "UserClasses.dat*" -FolderName "UserClasses_dat_MSIX_Hive_$UserName"
# AnyDesk Logs - User Profile - *.trace
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.trace" -FolderName "AnyDesk_Logs_User_Profile_trace_$UserName"
# AnyDesk Logs - User Profile - *.conf
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "AnyDesk_Logs_User_Profile_conf_$UserName"
# AnyDesk Videos
$UserPath = "$($_.FullName)\Videos\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.anydesk" -FolderName "AnyDesk_Videos_$UserName"
# AnyDesk Logs - User Profile - connection_trace.txt
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_User_Profile_connection_trace_txt_$UserName"
# AnyDesk Chat Logs - User Profile
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk\chat"
Collect-Artifact -SourceDir $UserPath -FileMask "*.txt" -FolderName "AnyDesk_Chat_Logs_User_Profile_$UserName"
# AnyDesk File Transfer Logs - Running in portable mode
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Running_in_portable_mode_$UserName"
# ISLOnline Logs - Sessions - *.out
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*"
Collect-Artifact -SourceDir $UserPath -FileMask "ISLClient.out" -FolderName "ISLOnline_Logs_Sessions_out_$UserName"
# ISLOnline Logs - Session Configurations
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*\conf"
Collect-Artifact -SourceDir $UserPath -FileMask "*" -FolderName "ISLOnline_Logs_Session_Configurations_$UserName"
# ISL Light Logs - Sessions
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light\*"
Collect-Artifact -SourceDir $UserPath -FileMask "trace.out" -FolderName "ISL_Light_Logs_Sessions_$UserName"
# Kaseya Live Connect Logs (XP)
$UserPath = "$($_.FullName)\Application Data\Kaseya\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_XP_$UserName"
# Kaseya Live Connect Logs
$UserPath = "$($_.FullName)\AppData\Local\Kaseya\Log\KaseyaLiveConnect"
Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_$UserName"
# Kaseya Setup Log
$UserPath = "$($_.FullName)\AppData\Local\Temp"
Collect-Artifact -SourceDir $UserPath -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log_$UserName"
# LogMeIn Application Logs
$UserPath = "$($_.FullName)\AppData\Local\temp\LogMeInLogs"
Collect-Artifact -SourceDir $UserPath -FolderName "LogMeIn_Application_Logs_$UserName"
# mRemoteNG Logs
$UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "mRemoteNG.log" -FolderName "mRemoteNG_Logs_$UserName"
# mRemoteNG Connection Configuration and Backups
$UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "confCons.xml*" -FolderName "mRemoteNG_Connection_Configuration_and_Backups_$UserName"
# mRemoteNG Program Settings
$UserPath = "$($_.FullName)\AppData\*\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "user.config" -FolderName "mRemoteNG_Program_Settings_$UserName"
# Net Monitor Server Logs
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FolderName "Net_Monitor_Server_Logs_$UserName"
# Microsoft Quick Assist
$UserPath = "$($_.FullName)\AppData\Local\Temp\QuickAssist"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Quick_Assist_$UserName"
# Microsoft Remote Help
$UserPath = "$($_.FullName)\AppData\Local\Temp\RemoteHelp"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Remote_Help_$UserName"
# Radmin Viewer Chats
$UserPath = "$($_.FullName)\Documents\ChatLogs\*"
Collect-Artifact -SourceDir $UserPath -FileMask "*.htm" -FolderName "Radmin_Viewer_Chats_$UserName"
# RDP Cache Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
# Windows.old RDP Cache Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_old_RDP_Cache_Files_$UserName"
# RDP Cache Files
$UserPath = "$($_.FullName)\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
# RustDesk logs
$UserPath = "$($_.FullName)\AppData\Roaming\RustDesk"
Collect-Artifact -SourceDir $UserPath -FolderName "RustDesk_logs_$UserName"
# TeamViewer Application User Logs
$UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer"
Collect-Artifact -SourceDir $UserPath -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_User_Logs_$UserName"
# TeamViewer Configuration Files
$UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer\MRU\RemoteSupport"
Collect-Artifact -SourceDir $UserPath -FolderName "TeamViewer_Configuration_Files_$UserName"
# Unified endpoint management and security solutions from ManageEngine
$UserPath = "$($_.FullName)\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs"
Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine_$UserName"
# UltraViewer User Logs
$UserPath = "$($_.FullName)\AppData\Roaming\UltraViewer"
Collect-Artifact -SourceDir $UserPath -FolderName "UltraViewer_User_Logs_$UserName"
# RealVNC Log
$UserPath = "$($_.FullName)\AppData\Local\RealVNC"
Collect-Artifact -SourceDir $UserPath -FileMask "vncserver.log" -FolderName "RealVNC_Log_$UserName"
# Zoho Assist log files in AppData\Local
$UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting\log"
Collect-Artifact -SourceDir $UserPath -FolderName "Zoho_Assist_log_files_in_AppData_Local_$UserName"
# Zoho Assist .conf files in AppData\Local
$UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting"
Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_AppData_Local_$UserName"
# PowerShell Scheduled_Jobs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs"
Collect-Artifact -SourceDir $UserPath -FolderName "PowerShell_Scheduled_Jobs_$UserName"
# PowerShell Scheduled_Jobs Output
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*"
Collect-Artifact -SourceDir $UserPath -FolderName "PowerShell_Scheduled_Jobs_Output_$UserName"
# WER Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\WER"
Collect-Artifact -SourceDir $UserPath -FolderName "WER_Files_$UserName"
# Crash Dumps
$UserPath = "$($_.FullName)\AppData\Local\CrashDumps"
Collect-Artifact -SourceDir $UserPath -FileMask "*.dmp" -FolderName "Crash_Dumps_$UserName"
# 360 Secure Browser Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "360Bookmarks*" -FolderName "360_Secure_Browser_Bookmarks_$UserName"
# 360 Secure Browser Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "360_Secure_Browser_Cookies_$UserName"
# 360 Secure Browser Current Session
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "360_Secure_Browser_Current_Session_$UserName"
# 360 Secure Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "360_Secure_Browser_Current_Tabs_$UserName"
# 360 Secure Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "360_Secure_Browser_Download_Metadata_$UserName"
# 360 Secure Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "360_Secure_Browser_Extension_Cookies_$UserName"
# 360 Secure Browser Favicons
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "360_Secure_Browser_Favicons_$UserName"
# 360 Secure Browser History
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "360History*" -FolderName "360_Secure_Browser_History_$UserName"
# 360 Secure Browser Last Session
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "360_Secure_Browser_Last_Session_$UserName"
# 360 Secure Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "360_Secure_Browser_Last_Tabs_$UserName"
# 360 Secure Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_Sessions_Folder_$UserName"
# 360 Secure Browser Login Data
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "360_Secure_Browser_Login_Data_$UserName"
# 360 Secure Browser Media History
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "360_Secure_Browser_Media_History_$UserName"
# 360 Secure Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "360_Secure_Browser_Network_Action_Predictor_$UserName"
# 360 Secure Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "360_Secure_Browser_Network_Persistent_State_$UserName"
# 360 Secure Browser Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "360_Secure_Browser_Preferences_$UserName"
# 360 Secure Browser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "360_Secure_Browser_Secure_Preferences_$UserName"
# 360 Secure Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "360_Secure_Browser_Quota_Manager_$UserName"
# 360 Secure Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "360_Secure_Browser_Reporting_and_NEL_$UserName"
# 360 Secure Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "360_Secure_Browser_Shortcuts_$UserName"
# 360 Secure Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "360_Secure_Browser_Top_Sites_$UserName"
# 360 Secure Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "360_Secure_Browser_Trust_Tokens_$UserName"
# 360 Secure Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_SyncData_Database_$UserName"
# 360 Secure Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "360_Secure_Browser_Visited_Links_$UserName"
# 360 Secure Browser Web Data
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "360_Secure_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# 360 Secure Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_Snapshots_Folder_$UserName"
# Arc Cookies
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Arc_Cookies_$UserName"
# Arc Favicons
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Arc_Favicons_$UserName"
# Arc History
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Arc_History_$UserName"
# Arc Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Arc_Sessions_Folder_$UserName"
# Arc Login Data
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Arc_Login_Data_$UserName"
# Arc Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Arc_Network_Action_Predictor_$UserName"
# Arc Preferences
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Arc_Preferences_$UserName"
# Arc Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Arc_Secure_Preferences_$UserName"
# Arc Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Arc_Shortcuts_$UserName"
# Arc Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Arc_Top_Sites_$UserName"
# Arc SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Arc_SyncData_Database_$UserName"
# Arc Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Arc_Bookmarks_$UserName"
# Arc Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Arc_Visited_Links_$UserName"
# Arc Web Data
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Arc_Web_Data_$UserName"
# Arc JSON Files
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc"
Collect-Artifact -SourceDir $UserPath -FileMask "Storable*.json" -FolderName "Arc_JSON_Files_$UserName"
# Arc PLIST Files
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local"
Collect-Artifact -SourceDir $UserPath -FileMask "com*.plist" -FolderName "Arc_PLIST_Files_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Bookmarks_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Cookies_$UserName"
# Current Session
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Current_Session_$UserName"
# Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Current_Tabs_$UserName"
# Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Download_Metadata_$UserName"
# Favicons
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Favicons_$UserName"
# History
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "History_$UserName"
# Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Sessions_Folder_$UserName"
# Login Data
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Login_Data_$UserName"
# Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Network_Action_Predictor_$UserName"
# Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Network_Persistent_State_$UserName"
# Preferences
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Preferences_$UserName"
# Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Quota_Manager_$UserName"
# Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Reporting_and_NEL_$UserName"
# Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Shortcuts_$UserName"
# Publisher Info DB/Brave Rewards
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "publisher_info_db*" -FolderName "Publisher_Info_DB_Brave_Rewards_$UserName"
# Top Sites
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Top_Sites_$UserName"
# Visited Links
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links*" -FolderName "Visited_Links_$UserName"
# Web Data
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Web_Data_$UserName"
# Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences*" -FolderName "Secure_Preferences_$UserName"
# Chrome Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_XP_$UserName"
# Chrome Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_XP_$UserName"
# Chrome Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_XP_$UserName"
# Chrome Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_XP_$UserName"
# Chrome Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_XP_$UserName"
# Chrome History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_XP_$UserName"
# Chrome Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_XP_$UserName"
# Chrome Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_XP_$UserName"
# Chrome Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Login_Data_XP_$UserName"
# Chrome Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_XP_$UserName"
# Chrome Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_XP_$UserName"
# Chrome Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_XP_$UserName"
# Chrome Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_XP_$UserName"
# Chrome Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_XP_$UserName"
# Chrome Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_$UserName"
# Chrome Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_$UserName"
# Chrome Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_$UserName"
# Chrome Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_$UserName"
# Chrome Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Download_Metadata_$UserName"
# Chrome Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Extension_Cookies_$UserName"
# Chrome Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_$UserName"
# Chrome History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_$UserName"
# Chrome Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_$UserName"
# Chrome Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_$UserName"
# Chrome Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Sessions_Folder_$UserName"
# Chrome Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Login_Data_$UserName"
# Chrome Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Media_History_$UserName"
# Chrome Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Network_Action_Predictor_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_$UserName"
# Chrome Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SyncData_Database_$UserName"
# Chrome Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_$UserName"
# Chrome Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_$UserName"
# Chrome IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_IndexedDB_$UserName"
# Chrome Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Snapshots_Folder_$UserName"
# Chrome Beta Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_XP_$UserName"
# Chrome Beta Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_XP_$UserName"
# Chrome Beta Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_XP_$UserName"
# Chrome Beta Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_XP_$UserName"
# Chrome Beta Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_XP_$UserName"
# Chrome Beta History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_XP_$UserName"
# Chrome Beta Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_XP_$UserName"
# Chrome Beta Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_XP_$UserName"
# Chrome Beta Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Beta_Login_Data_XP_$UserName"
# Chrome Beta Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_XP_$UserName"
# Chrome Beta Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_XP_$UserName"
# Chrome Beta Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_XP_$UserName"
# Chrome Beta Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_XP_$UserName"
# Chrome Beta Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_XP_$UserName"
# Chrome Beta Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_$UserName"
# Chrome Beta Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_$UserName"
# Chrome Beta Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_$UserName"
# Chrome Beta Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_$UserName"
# Chrome Beta Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Beta_Download_Metadata_$UserName"
# Chrome Beta Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Beta_Extension_Cookies_$UserName"
# Chrome Beta Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_$UserName"
# Chrome Beta History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_$UserName"
# Chrome Beta Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_$UserName"
# Chrome Beta Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_$UserName"
# Chrome Beta Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Sessions_Folder_$UserName"
# Chrome Beta Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Beta_Login_Data_$UserName"
# Chrome Beta Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Beta_Media_History_$UserName"
# Chrome Beta Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Beta_Network_Action_Predictor_$UserName"
# Chrome Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
# Chrome Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
# Chrome Beta Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_$UserName"
# Chrome Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
# Chrome Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
# Chrome Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
# Chrome Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
# Chrome Beta Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_$UserName"
# Chrome Beta Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_$UserName"
# Chrome Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
# Chrome Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
# Chrome Beta SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Beta_SyncData_Database_$UserName"
# Chrome Beta Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_$UserName"
# Chrome Beta Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_$UserName"
# Chrome Beta IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_IndexedDB_$UserName"
# Chrome Beta Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Beta Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Snapshots_Folder_$UserName"
# Chrome Dev Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_XP_$UserName"
# Chrome Dev Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_XP_$UserName"
# Chrome Dev Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_XP_$UserName"
# Chrome Dev Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_XP_$UserName"
# Chrome Dev Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_XP_$UserName"
# Chrome Dev History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_XP_$UserName"
# Chrome Dev Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_XP_$UserName"
# Chrome Dev Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_XP_$UserName"
# Chrome Dev Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Dev_Login_Data_XP_$UserName"
# Chrome Dev Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_XP_$UserName"
# Chrome Dev Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_XP_$UserName"
# Chrome Dev Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_XP_$UserName"
# Chrome Dev Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_XP_$UserName"
# Chrome Dev Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_XP_$UserName"
# Chrome Dev Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_$UserName"
# Chrome Dev Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_$UserName"
# Chrome Dev Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_$UserName"
# Chrome Dev Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_$UserName"
# Chrome Dev Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Dev_Download_Metadata_$UserName"
# Chrome Dev Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Dev_Extension_Cookies_$UserName"
# Chrome Dev Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_$UserName"
# Chrome Dev History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_$UserName"
# Chrome Dev Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_$UserName"
# Chrome Dev Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_$UserName"
# Chrome Dev Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Sessions_Folder_$UserName"
# Chrome Dev Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Dev_Login_Data_$UserName"
# Chrome Dev Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Dev_Media_History_$UserName"
# Chrome Dev Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Dev_Network_Action_Predictor_$UserName"
# Chrome Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
# Chrome Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
# Chrome Dev Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_$UserName"
# Chrome Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
# Chrome Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
# Chrome Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
# Chrome Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
# Chrome Dev Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_$UserName"
# Chrome Dev Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_$UserName"
# Chrome Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
# Chrome Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
# Chrome Dev SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Dev_SyncData_Database_$UserName"
# Chrome Dev Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_$UserName"
# Chrome Dev Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_$UserName"
# Chrome Dev IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_IndexedDB_$UserName"
# Chrome Dev Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Dev Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Snapshots_Folder_$UserName"
# Chrome SxS Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_XP_$UserName"
# Chrome SxS Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_XP_$UserName"
# Chrome SxS Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_XP_$UserName"
# Chrome SxS Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_XP_$UserName"
# Chrome SxS Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_XP_$UserName"
# Chrome SxS History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_XP_$UserName"
# Chrome SxS Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_XP_$UserName"
# Chrome SxS Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_XP_$UserName"
# Chrome SxS Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_SxS_Login_Data_XP_$UserName"
# Chrome SxS Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_XP_$UserName"
# Chrome SxS Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_XP_$UserName"
# Chrome SxS Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_XP_$UserName"
# Chrome SxS Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_XP_$UserName"
# Chrome SxS Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_XP_$UserName"
# Chrome SxS Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_$UserName"
# Chrome SxS Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_$UserName"
# Chrome SxS Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_$UserName"
# Chrome SxS Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_$UserName"
# Chrome SxS Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_SxS_Download_Metadata_$UserName"
# Chrome SxS Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_SxS_Extension_Cookies_$UserName"
# Chrome SxS Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_$UserName"
# Chrome SxS History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_$UserName"
# Chrome SxS Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_$UserName"
# Chrome SxS Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_$UserName"
# Chrome SxS Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Sessions_Folder_$UserName"
# Chrome SxS Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_SxS_Login_Data_$UserName"
# Chrome SxS Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_SxS_Media_History_$UserName"
# Chrome SxS Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_SxS_Network_Action_Predictor_$UserName"
# Chrome SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
# Chrome SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
# Chrome SxS Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_$UserName"
# Chrome SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
# Chrome SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
# Chrome SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
# Chrome SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
# Chrome SxS Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_$UserName"
# Chrome SxS Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_$UserName"
# Chrome SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
# Chrome SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
# Chrome SxS SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SxS_SyncData_Database_$UserName"
# Chrome SxS Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_$UserName"
# Chrome SxS Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_$UserName"
# Chrome SxS IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_IndexedDB_$UserName"
# Chrome SxS Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome SxS Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Snapshots_Folder_$UserName"
# Chromium Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_XP_$UserName"
# Chromium Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_XP_$UserName"
# Chromium Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_XP_$UserName"
# Chromium Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_XP_$UserName"
# Chromium Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_XP_$UserName"
# Chromium History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_XP_$UserName"
# Chromium Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_XP_$UserName"
# Chromium Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_XP_$UserName"
# Chromium Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chromium_Login_Data_XP_$UserName"
# Chromium Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_XP_$UserName"
# Chromium Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_XP_$UserName"
# Chromium Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_XP_$UserName"
# Chromium Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_XP_$UserName"
# Chromium Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_XP_$UserName"
# Chromium Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_$UserName"
# Chromium Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_$UserName"
# Chromium Current Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_$UserName"
# Chromium Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_$UserName"
# Chromium Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chromium_Download_Metadata_$UserName"
# Chromium Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chromium_Extension_Cookies_$UserName"
# Chromium Favicons
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_$UserName"
# Chromium History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_$UserName"
# Chromium Last Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_$UserName"
# Chromium Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_$UserName"
# Chromium Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Sessions_Folder_$UserName"
# Chromium Login Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chromium_Login_Data_$UserName"
# Chromium Media History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chromium_Media_History_$UserName"
# Chromium Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chromium_Network_Action_Predictor_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_$UserName"
# Chromium Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Chromium_Secure_Preferences_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_$UserName"
# Chromium Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chromium_SyncData_Database_$UserName"
# Chromium Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_$UserName"
# Chromium Web Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_$UserName"
# Chromium IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_IndexedDB_$UserName"
# Chromium Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chromium Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Snapshots_Folder_$UserName"
# CocCoc Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "CocCoc_Bookmarks_$UserName"
# CocCoc Cookies
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "CocCoc_Cookies_$UserName"
# CocCoc Current Session
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "CocCoc_Current_Session_$UserName"
# CocCoc Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "CocCoc_Current_Tabs_$UserName"
# CocCoc Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "CocCoc_Download_Metadata_$UserName"
# CocCoc Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "CocCoc_Extension_Cookies_$UserName"
# CocCoc Favicons
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "CocCoc_Favicons_$UserName"
# CocCoc History
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "CocCoc_History_$UserName"
# CocCoc Last Session
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "CocCoc_Last_Session_$UserName"
# CocCoc Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "CocCoc_Last_Tabs_$UserName"
# CocCoc Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_Sessions_Folder_$UserName"
# CocCoc Login Data
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "CocCoc_Login_Data_$UserName"
# CocCoc Media History
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "CocCoc_Media_History_$UserName"
# CocCoc Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "CocCoc_Network_Action_Predictor_$UserName"
# CocCoc Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "CocCoc_Network_Persistent_State_$UserName"
# CocCoc Preferences
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "CocCoc_Preferences_$UserName"
# CocCoc Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "CocCoc_Quota_Manager_$UserName"
# CocCoc Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "CocCoc_Reporting_and_NEL_$UserName"
# CocCoc Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "CocCoc_Shortcuts_$UserName"
# CocCoc Top Sites
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "CocCoc_Top_Sites_$UserName"
# CocCoc Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "CocCoc_Trust_Tokens_$UserName"
# CocCoc SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_SyncData_Database_$UserName"
# CocCoc Visited Links
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "CocCoc_Visited_Links_$UserName"
# CocCoc Web Data
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "CocCoc_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# CocCoc Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_Snapshots_Folder_$UserName"
# Edge folder
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_folder_$UserName"
# Edge Beta Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Beta_Collections_$UserName"
# Edge Beta Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Beta_Bookmarks_$UserName"
# Edge Beta Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Beta_Cookies_$UserName"
# Edge Beta Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Beta_Current_Session_$UserName"
# Edge Beta Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Beta_Current_Tabs_$UserName"
# Edge Beta Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Beta_Extension_Cookies_$UserName"
# Edge Beta Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Beta_Favicons_$UserName"
# Edge Beta History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_Beta_History_$UserName"
# Edge Beta Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Beta_Last_Session_$UserName"
# Edge Beta Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Beta_Last_Tabs_$UserName"
# Edge Beta Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Sessions_Folder_$UserName"
# Edge Beta Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Beta_Login_Data_$UserName"
# Edge Beta Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Beta_Media_History_$UserName"
# Edge Beta Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Beta_Network_Action_Predictor_$UserName"
# Edge Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Beta_Network_Persistent_State_$UserName"
# Edge Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Beta_Network_Persistent_State_$UserName"
# Edge Beta Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Beta_Preferences_$UserName"
# Edge Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Beta_Quota_Manager_$UserName"
# Edge Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Beta_Quota_Manager_$UserName"
# Edge Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Beta_Reporting_and_NEL_$UserName"
# Edge Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Beta_Reporting_and_NEL_$UserName"
# Edge Beta Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Beta_Shortcuts_$UserName"
# Edge Beta Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Beta_Top_Sites_$UserName"
# Edge Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Beta_Trust_Tokens_$UserName"
# Edge Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Beta_Trust_Tokens_$UserName"
# Edge Beta SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_Beta_SyncData_Database_$UserName"
# Edge Beta Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Beta_Visited_Links_$UserName"
# Edge Beta Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Beta_Web_Data_$UserName"
# Edge Beta IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_IndexedDB_$UserName"
# Edge Beta Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Local_Storage_$UserName"
# Edge Beta WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_Beta_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Beta Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Snapshots_Folder_$UserName"
# Edge Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Collections_$UserName"
# Edge Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Bookmarks_$UserName"
# Edge Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Cookies_$UserName"
# Edge Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Current_Session_$UserName"
# Edge Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Current_Tabs_$UserName"
# Edge Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Extension_Cookies_$UserName"
# Edge Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Favicons_$UserName"
# Edge History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_History_$UserName"
# Edge Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Last_Session_$UserName"
# Edge Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Last_Tabs_$UserName"
# Edge Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Sessions_Folder_$UserName"
# Edge Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Login_Data_$UserName"
# Edge Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Media_History_$UserName"
# Edge Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Network_Action_Predictor_$UserName"
# Edge Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Network_Persistent_State_$UserName"
# Edge Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Network_Persistent_State_$UserName"
# Edge Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Preferences_$UserName"
# Edge Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Edge_Secure_Preferences_$UserName"
# Edge Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Quota_Manager_$UserName"
# Edge Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Quota_Manager_$UserName"
# Edge Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Reporting_and_NEL_$UserName"
# Edge Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Reporting_and_NEL_$UserName"
# Edge Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Shortcuts_$UserName"
# Edge Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Top_Sites_$UserName"
# Edge Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Trust_Tokens_$UserName"
# Edge Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Trust_Tokens_$UserName"
# Edge SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_SyncData_Database_$UserName"
# Edge Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Visited_Links_$UserName"
# Edge Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Web_Data_$UserName"
# Edge IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_IndexedDB_$UserName"
# Edge Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Local_Storage_$UserName"
# Edge WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Snapshots_Folder_$UserName"
# Edge Dev Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Dev_Collections_$UserName"
# Edge Dev Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Dev_Bookmarks_$UserName"
# Edge Dev Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Dev_Cookies_$UserName"
# Edge Dev Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Dev_Current_Session_$UserName"
# Edge Dev Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Dev_Current_Tabs_$UserName"
# Edge Dev Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Dev_Extension_Cookies_$UserName"
# Edge Dev Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Dev_Favicons_$UserName"
# Edge Dev History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_Dev_History_$UserName"
# Edge Dev Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Dev_Last_Session_$UserName"
# Edge Dev Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Dev_Last_Tabs_$UserName"
# Edge Dev Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Sessions_Folder_$UserName"
# Edge Dev Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Dev_Login_Data_$UserName"
# Edge Dev Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Dev_Media_History_$UserName"
# Edge Dev Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Dev_Network_Action_Predictor_$UserName"
# Edge Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Dev_Network_Persistent_State_$UserName"
# Edge Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Dev_Network_Persistent_State_$UserName"
# Edge Dev Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Dev_Preferences_$UserName"
# Edge Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Dev_Quota_Manager_$UserName"
# Edge Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Dev_Quota_Manager_$UserName"
# Edge Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Dev_Reporting_and_NEL_$UserName"
# Edge Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Dev_Reporting_and_NEL_$UserName"
# Edge Dev Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Dev_Shortcuts_$UserName"
# Edge Dev Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Dev_Top_Sites_$UserName"
# Edge Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Dev_Trust_Tokens_$UserName"
# Edge Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Dev_Trust_Tokens_$UserName"
# Edge Dev SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_Dev_SyncData_Database_$UserName"
# Edge Dev Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Dev_Visited_Links_$UserName"
# Edge Dev Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Dev_Web_Data_$UserName"
# Edge Dev IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_IndexedDB_$UserName"
# Edge Dev Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Local_Storage_$UserName"
# Edge Dev WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_Dev_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Dev Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Snapshots_Folder_$UserName"
# Edge SxS Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_SxS_Collections_$UserName"
# Edge SxS Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_SxS_Bookmarks_$UserName"
# Edge SxS Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_SxS_Cookies_$UserName"
# Edge SxS Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_SxS_Current_Session_$UserName"
# Edge SxS Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_SxS_Current_Tabs_$UserName"
# Edge SxS Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_SxS_Extension_Cookies_$UserName"
# Edge SxS Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_SxS_Favicons_$UserName"
# Edge SxS History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_SxS_History_$UserName"
# Edge SxS Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_SxS_Last_Session_$UserName"
# Edge SxS Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_SxS_Last_Tabs_$UserName"
# Edge SxS Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Sessions_Folder_$UserName"
# Edge SxS Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_SxS_Login_Data_$UserName"
# Edge SxS Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_SxS_Media_History_$UserName"
# Edge SxS Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_SxS_Network_Action_Predictor_$UserName"
# Edge SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_SxS_Network_Persistent_State_$UserName"
# Edge SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_SxS_Network_Persistent_State_$UserName"
# Edge SxS Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_SxS_Preferences_$UserName"
# Edge SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_SxS_Quota_Manager_$UserName"
# Edge SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_SxS_Quota_Manager_$UserName"
# Edge SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_SxS_Reporting_and_NEL_$UserName"
# Edge SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_SxS_Reporting_and_NEL_$UserName"
# Edge SxS Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_SxS_Shortcuts_$UserName"
# Edge SxS Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_SxS_Top_Sites_$UserName"
# Edge SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_SxS_Trust_Tokens_$UserName"
# Edge SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_SxS_Trust_Tokens_$UserName"
# Edge SxS SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_SxS_SyncData_Database_$UserName"
# Edge SxS Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_SxS_Visited_Links_$UserName"
# Edge SxS Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_SxS_Web_Data_$UserName"
# Edge SxS IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_IndexedDB_$UserName"
# Edge SxS Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Local_Storage_$UserName"
# Edge SxS WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_SxS_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge SxS Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Snapshots_Folder_$UserName"
# Addons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave"
Collect-Artifact -SourceDir $UserPath -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups"
Collect-Artifact -SourceDir $UserPath -FolderName "Bookmarks_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies_$UserName"
# Downloads
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_$UserName"
# Extensions
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "extensions.json" -FolderName "Extensions_$UserName"
# Favicons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_$UserName"
# Form history
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_$UserName"
# Permissions
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "permissions.sqlite*" -FolderName "Permissions_$UserName"
# Places
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_$UserName"
# Protections
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "protections.sqlite*" -FolderName "Protections_$UserName"
# Search
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_$UserName"
# Signons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_$UserName"
# Storage Sync
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync_$UserName"
# Webappstore
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_$UserName"
# Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "prefs.js" -FolderName "Preferences_$UserName"
# Sessionstore
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_$UserName"
# Sessionstore Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups"
Collect-Artifact -SourceDir $UserPath -FolderName "Sessionstore_Folder_$UserName"
# Places XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_XP_$UserName"
# Downloads XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_XP_$UserName"
# Form history XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_XP_$UserName"
# Cookies XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_XP_$UserName"
# Signons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_XP_$UserName"
# Webappstore XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_XP_$UserName"
# Favicons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_XP_$UserName"
# Addons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_XP_$UserName"
# Search XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_XP_$UserName"
# Sessionstore XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_XP_$UserName"
# Index.dat History
$UserPath = "$($_.FullName)\Local Settings\History\History.IE5"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_History_$UserName"
# Index.dat History subdirectory
$UserPath = "$($_.FullName)\Local Settings\History\History.IE5\*"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_History_subdirectory_$UserName"
# Index.dat cookies
$UserPath = "$($_.FullName)\Cookies"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_cookies_$UserName"
# Index.dat UserData
$UserPath = "$($_.FullName)\Application Data\Microsoft\Internet Explorer\UserData"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_UserData_$UserName"
# Index.dat Office XP
$UserPath = "$($_.FullName)\Application Data\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_Office_XP_$UserName"
# Index.dat Office
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_Office_$UserName"
# Local Internet Explorer folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Internet Explorer"
Collect-Artifact -SourceDir $UserPath -FolderName "Local_Internet_Explorer_folder_$UserName"
# Roaming Internet Explorer folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Internet Explorer"
Collect-Artifact -SourceDir $UserPath -FolderName "Roaming_Internet_Explorer_folder_$UserName"
# IE 9/10 History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\History"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_History_$UserName"
# IE 9/10 Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\Cookies"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_Cookies_$UserName"
# IE 9/10 Download History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\IEDownloadHistory"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_Download_History_$UserName"
# IE 11 Metadata
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\WebCache"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_11_Metadata_$UserName"
# IE 11 Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\INetCookies"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_11_Cookies_$UserName"
# Opera - Local Folder
$UserPath = "$($_.FullName)\AppData\Local\Opera Software\Opera Stable"
Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Local_Folder_$UserName"
# Opera - Roaming Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Opera Software\Opera Stable"
Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Roaming_Folder_$UserName"
# Prisma Access Browser bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_XP_$UserName"
# Prisma Access Browser Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_XP_$UserName"
# Prisma Access Browser Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_XP_$UserName"
# Prisma Access Browser Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_XP_$UserName"
# Prisma Access Browser Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_XP_$UserName"
# Prisma Access Browser History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_XP_$UserName"
# Prisma Access Browser Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_XP_$UserName"
# Prisma Access Browser Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_XP_$UserName"
# Prisma Access Browser Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_XP_$UserName"
# Prisma Access Browser Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_XP_$UserName"
# Prisma Access Browser Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_XP_$UserName"
# Prisma Access Browser Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_XP_$UserName"
# Prisma Access Browser Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_XP_$UserName"
# Prisma Access Browser Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_XP_$UserName"
# Prisma Access Browser bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_$UserName"
# Prisma Access Browser Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_$UserName"
# Prisma Access Browser Current Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_$UserName"
# Prisma Access Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_$UserName"
# Prisma Access Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Prisma_Access_Browser_Download_Metadata_$UserName"
# Prisma Access Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Prisma_Access_Browser_Extension_Cookies_$UserName"
# Prisma Access Browser Favicons
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_$UserName"
# Prisma Access Browser History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_$UserName"
# Prisma Access Browser Last Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_$UserName"
# Prisma Access Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_$UserName"
# Prisma Access Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Sessions_Folder_$UserName"
# Prisma Access Browser Login Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_$UserName"
# Prisma Access Browser Media History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Prisma_Access_Browser_Media_History_$UserName"
# Prisma Access Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Prisma_Access_Browser_Network_Action_Predictor_$UserName"
# Prisma Access Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Prisma_Access_Browser_Network_Persistent_State_$UserName"
# Prisma Access Browser Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_$UserName"
# Prisma Access Browser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Prisma_Access_Browser_Secure_Preferences_$UserName"
# Prisma Access Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Prisma_Access_Browser_Quota_Manager_$UserName"
# Prisma Access Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Prisma_Access_Browser_Reporting_and_NEL_$UserName"
# Prisma Access Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_$UserName"
# Prisma Access Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_$UserName"
# Prisma Access Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Prisma_Access_Browser_Trust_Tokens_$UserName"
# Prisma Access Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Prisma_Access_Browser_SyncData_Database_$UserName"
# Prisma Access Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_$UserName"
# Prisma Access Browser Web Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Prisma Access Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Snapshots_Folder_$UserName"
# Prisma Access Browser User Data Backup Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data Backup"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_User_Data_Backup_Folder_$UserName"
# Puffin - data.db
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "data.db" -FolderName "Puffin_data_db_$UserName"
# Puffin - Autocomplete Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "autocompletes.dat" -FolderName "Puffin_Autocomplete_Data_$UserName"
# Puffin - Password Forms Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "passwordForms.dat" -FolderName "Puffin_Password_Forms_Data_$UserName"
# Puffin - Password (Encrypted)
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "credential.dat" -FolderName "Puffin_Password_Encrypted_$UserName"
# Puffin - Subscription Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "subscription" -FolderName "Puffin_Subscription_Data_$UserName"
# Puffin - Cookies
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.dat" -FolderName "Puffin_Cookies_$UserName"
# Puffin - Image Cache
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser\image_cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Puffin_Image_Cache_$UserName"
# QQ Browser Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "QQ_Browser_Bookmarks_$UserName"
# QQ Browser Cookies
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "QQ_Browser_Cookies_$UserName"
# QQ Browser Current Session
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "QQ_Browser_Current_Session_$UserName"
# QQ Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "QQ_Browser_Current_Tabs_$UserName"
# QQ Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "QQ_Browser_Download_Metadata_$UserName"
# QQ Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "QQ_Browser_Extension_Cookies_$UserName"
# QQ Browser Favicons
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "QQ_Browser_Favicons_$UserName"
# QQ Browser History
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "QQ_Browser_History_$UserName"
# QQ Browser Last Session
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "QQ_Browser_Last_Session_$UserName"
# QQ Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "QQ_Browser_Last_Tabs_$UserName"
# QQ Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_Sessions_Folder_$UserName"
# QQ Browser Login Data
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "QQ_Browser_Login_Data_$UserName"
# QQ Browser Media History
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "QQ_Browser_Media_History_$UserName"
# QQ Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "QQ_Browser_Network_Action_Predictor_$UserName"
# QQ Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "QQ_Browser_Network_Persistent_State_$UserName"
# QQ Browser Preferences
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "QQ_Browser_Preferences_$UserName"
# QQ Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "QQ_Browser_Quota_Manager_$UserName"
# QQ Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "QQ_Browser_Reporting_and_NEL_$UserName"
# QQ Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "QQ_Browser_Shortcuts_$UserName"
# QQ Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "QQ_Browser_Top_Sites_$UserName"
# QQ Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "QQ_Browser_Trust_Tokens_$UserName"
# QQ Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_SyncData_Database_$UserName"
# QQ Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "QQ_Browser_Visited_Links_$UserName"
# QQ Browser Web Data
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "QQ_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# QQ Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_Snapshots_Folder_$UserName"
# Supermium Bookmarks XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Supermium_Bookmarks_XP_$UserName"
# Supermium Cookies XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Supermium_Cookies_XP_$UserName"
# Supermium Current Session XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Supermium_Current_Session_XP_$UserName"
# Supermium Current Tabs XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Supermium_Current_Tabs_XP_$UserName"
# Supermium Favicons XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Supermium_Favicons_XP_$UserName"
# Supermium History XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Supermium_History_XP_$UserName"
# Supermium Last Session XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Supermium_Last_Session_XP_$UserName"
# Supermium Last Tabs XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Supermium_Last_Tabs_XP_$UserName"
# Supermium Sessions Folder XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Sessions_Folder_XP_$UserName"
# Supermium Network Action Predictor XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Supermium_Network_Action_Predictor_XP_$UserName"
# Supermium Network Persistent State XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Supermium_Network_Persistent_State_XP_$UserName"
# Supermium Login Data XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Supermium_Login_Data_XP_$UserName"
# Supermium Preferences XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Supermium_Preferences_XP_$UserName"
# Supermium Reporting and NEL XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Supermium_Reporting_and_NEL_XP_$UserName"
# Supermium Trust Tokens XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Supermium_Trust_Tokens_XP_$UserName"
# Supermium SyncData Database XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_SyncData_Database_XP_$UserName"
# Supermium Shortcuts XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Supermium_Shortcuts_XP_$UserName"
# Supermium Top Sites XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Supermium_Top_Sites_XP_$UserName"
# Supermium Visited Links XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Supermium_Visited_Links_XP_$UserName"
# Supermium Web Data XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Supermium_Web_Data_XP_$UserName"
# Supermium Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Supermium_Bookmarks_$UserName"
# Supermium Cookies
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Supermium_Cookies_$UserName"
# Supermium Current Session
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Supermium_Current_Session_$UserName"
# Supermium Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Supermium_Current_Tabs_$UserName"
# Supermium Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Supermium_Download_Metadata_$UserName"
# Supermium Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Supermium_Extension_Cookies_$UserName"
# Supermium Favicons
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Supermium_Favicons_$UserName"
# Supermium History
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Supermium_History_$UserName"
# Supermium Last Session
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Supermium_Last_Session_$UserName"
# Supermium Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Supermium_Last_Tabs_$UserName"
# Supermium Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Sessions_Folder_$UserName"
# Supermium Login Data
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Supermium_Login_Data_$UserName"
# Supermium Media History
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Supermium_Media_History_$UserName"
# Supermium Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Supermium_Network_Action_Predictor_$UserName"
# Supermium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Supermium_Network_Persistent_State_$UserName"
# Supermium Preferences
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Supermium_Preferences_$UserName"
# Supermium Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Supermium_Secure_Preferences_$UserName"
# Supermium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Supermium_Quota_Manager_$UserName"
# Supermium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Supermium_Reporting_and_NEL_$UserName"
# Supermium Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Supermium_Shortcuts_$UserName"
# Supermium Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Supermium_Top_Sites_$UserName"
# Supermium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Supermium_Trust_Tokens_$UserName"
# Supermium SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_SyncData_Database_$UserName"
# Supermium Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Supermium_Visited_Links_$UserName"
# Supermium Web Data
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Supermium_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Supermium Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Snapshots_Folder_$UserName"
# UCBrowser Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "UCBrowser_Bookmarks_$UserName"
# UCBrowser Cookies
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "UCBrowser_Cookies_$UserName"
# UCBrowser Current Session
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "UCBrowser_Current_Session_$UserName"
# UCBrowser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "UCBrowser_Current_Tabs_$UserName"
# UCBrowser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "UCBrowser_Download_Metadata_$UserName"
# UCBrowser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "UCBrowser_Extension_Cookies_$UserName"
# UCBrowser Favicons
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "UCBrowser_Favicons_$UserName"
# UCBrowser History
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "UCBrowser_History_$UserName"
# UCBrowser Last Session
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "UCBrowser_Last_Session_$UserName"
# UCBrowser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "UCBrowser_Last_Tabs_$UserName"
# UCBrowser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_Sessions_Folder_$UserName"
# UCBrowser Login Data
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "UCBrowser_Login_Data_$UserName"
# UCBrowser Media History
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "UCBrowser_Media_History_$UserName"
# UCBrowser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "UCBrowser_Network_Action_Predictor_$UserName"
# UCBrowser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "UCBrowser_Network_Persistent_State_$UserName"
# UCBrowser Preferences
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "UCBrowser_Preferences_$UserName"
# UCBrowser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "UCBrowser_Quota_Manager_$UserName"
# UCBrowser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "UCBrowser_Reporting_and_NEL_$UserName"
# UCBrowser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "UCBrowser_Shortcuts_$UserName"
# UCBrowser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "UCBrowser_Top_Sites_$UserName"
# UCBrowser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "UCBrowser_Trust_Tokens_$UserName"
# UCBrowser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_SyncData_Database_$UserName"
# UCBrowser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "UCBrowser_Visited_Links_$UserName"
# UCBrowser Web Data
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "UCBrowser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# UCBrowser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_Snapshots_Folder_$UserName"
# Vivaldi Cookies
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Vivaldi_Cookies_$UserName"
# Vivaldi Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Vivaldi_Network_Persistent_State_$UserName"
# Vivaldi Favicons
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Vivaldi_Favicons_$UserName"
# Vivaldi History
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Vivaldi_History_$UserName"
# Vivaldi Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Vivaldi_Sessions_Folder_$UserName"
# Vivaldi Login Data
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Vivaldi_Login_Data_$UserName"
# Vivaldi Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Vivaldi_Network_Action_Predictor_$UserName"
# Vivaldi Preferences
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Vivaldi_Preferences_$UserName"
# Vivaldi Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Vivaldi_Secure_Preferences_$UserName"
# Vivaldi Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Vivaldi_Top_Sites_$UserName"
# Vivaldi Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Vivaldi_Bookmarks_$UserName"
# Vivaldi Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Vivaldi_Visited_Links_$UserName"
# Vivaldi Web Data
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Vivaldi_Web_Data_$UserName"
# Vivaldi User Tracking
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask ".vivaldi_reporting_data*" -FolderName "Vivaldi_User_Tracking_$UserName"
# Vivaldi Calendar
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Calendar*" -FolderName "Vivaldi_Calendar_$UserName"
# Vivaldi Contacts
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Contacts*" -FolderName "Vivaldi_Contacts_$UserName"
# Vivaldi Notes
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Notes*" -FolderName "Vivaldi_Notes_$UserName"
# Vivaldi Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata*" -FolderName "Vivaldi_Download_Metadata_$UserName"
# WaveBrowser bookmarks
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "WaveBrowser_bookmarks_$UserName"
# WaveBrowser Cookies
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "WaveBrowser_Cookies_$UserName"
# WaveBrowser Current Session
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "WaveBrowser_Current_Session_$UserName"
# WaveBrowser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "WaveBrowser_Current_Tabs_$UserName"
# WaveBrowser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "WaveBrowser_Download_Metadata_$UserName"
# WaveBrowser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "WaveBrowser_Extension_Cookies_$UserName"
# WaveBrowser Favicons
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "WaveBrowser_Favicons_$UserName"
# WaveBrowser History
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "WaveBrowser_History_$UserName"
# WaveBrowser Last Session
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "WaveBrowser_Last_Session_$UserName"
# WaveBrowser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "WaveBrowser_Last_Tabs_$UserName"
# WaveBrowser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "WaveBrowser_Sessions_Folder_$UserName"
# WaveBrowser Login Data
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "WaveBrowser_Login_Data_$UserName"
# WaveBrowser Media History
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "WaveBrowser_Media_History_$UserName"
# WaveBrowser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "WaveBrowser_Network_Action_Predictor_$UserName"
# WaveBrowser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "WaveBrowser_Network_Persistent_State_$UserName"
# WaveBrowser Preferences
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "WaveBrowser_Preferences_$UserName"
# WaveBrowser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "WaveBrowser_Secure_Preferences_$UserName"
# WaveBrowser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "WaveBrowser_Quota_Manager_$UserName"
# WaveBrowser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "WaveBrowser_Reporting_and_NEL_$UserName"
# WaveBrowser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "WaveBrowser_Shortcuts_$UserName"
# WaveBrowser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "WaveBrowser_Top_Sites_$UserName"
# WaveBrowser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "WaveBrowser_Trust_Tokens_$UserName"
# WaveBrowser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "WaveBrowser_SyncData_Database_$UserName"
# WaveBrowser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "WaveBrowser_Visited_Links_$UserName"
# WaveBrowser Web Data
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "WaveBrowser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# WaveBrowser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "WaveBrowser_Snapshots_Folder_$UserName"
# Yandex Cookies
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Yandex_Cookies_$UserName"
# Yandex Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Yandex_Network_Persistent_State_$UserName"
# Yandex Favicons
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Yandex_Favicons_$UserName"
# Yandex History
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Yandex_History_$UserName"
# Yandex Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Yandex_Sessions_Folder_$UserName"
# Yandex Login Data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Ya Passman Data*" -FolderName "Yandex_Login_Data_$UserName"
# Yandex Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Yandex_Network_Action_Predictor_$UserName"
# Yandex Preferences
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Yandex_Preferences_$UserName"
# Yandex Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Yandex_Top_Sites_$UserName"
# Yandex Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Yandex_Bookmarks_$UserName"
# Yandex Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Yandex_Visited_Links_$UserName"
# Yandex Web Data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Yandex_Web_Data_$UserName"
# Yandex Autofill data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Ya Autofill Data*" -FolderName "Yandex_Autofill_data_$UserName"
# Yandex Passman logs
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Passman Logs*" -FolderName "Yandex_Passman_logs_$UserName"
# Yandex Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Yandex_Shortcuts_$UserName"
# ActivitiesCache.db
$UserPath = "$($_.FullName)\AppData\Local\ConnectedDevicesPlatform"
Collect-Artifact -SourceDir $UserPath -FileMask "ActivitiesCache.db*" -FolderName "ActivitiesCache_db_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 18 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes
- open in cyberchef(opens in new tab)URL DecodeDecode URL-encoded strings
- open in cyberchef(opens in new tab)Unicode DecodeDecode Unicode escape sequences
- open in cyberchef(opens in new tab)Registry BinaryDecode binary registry values
Open in CyberChef to decode values extracted from this artifact.