Keepass

Appsv1

Author: Vito Alfano

description

Keepass

paths

3 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Keepass
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Keepass Config Xml
Collect-Artifact -SourceDir "C:\Program Files\KeePass Password Safe*" -FileMask "*.xml" -FolderName "Keepass_Config_Xml"

# 2. Keepass Application Details
Collect-Artifact -SourceDir "C:\Program Files\KeePass Password Safe*" -FileMask "*.config" -FolderName "Keepass_Application_Details"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Keepass User Config
        $UserPath = "$($_.FullName)\AppData\Roaming\KeePass"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.xml" -FolderName "Keepass_User_Config_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

fir.ferris.edu http://fir.ferris.edu:8080/xmlui/bitstream/handle/2323/6381/Middleton2017E2.pdf?sequence=1&isAllowed=y

cqureacademy.com https://cqureacademy.com/blog/hacks/safe-store-password-keepass-browser

github.com https://github.com/GhostPack/KeeThief

github.com https://github.com/Orange-Cyberdefense/KeePwn

notes

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. So you only have to remember one single master key to unlock the whole database. Database files are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish)

// description

// paths

// collection commands

// references

// notes

description

paths

collection commands

references

notes