MacriumReflect

Appsv1

Author: Andrew Rathbun

description

Macrium Reflect

paths

3 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: MacriumReflect
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Macrium Reflect
Collect-Artifact -SourceDir "C:\ProgramData\Macrium\Macrium Service" -FolderName "Macrium_Reflect"

# 2. Macrium Reflect
Collect-Artifact -SourceDir "C:\ProgramData\Macrium\Reflect" -FolderName "Macrium_Reflect"

# 3. Macrium Reflect
Collect-Artifact -SourceDir "C:\ProgramData\Macrium\Reflect Launcher" -FolderName "Macrium_Reflect"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

notes

Macrium Reflect is a program that can be used to create full, incremental, and differential backups of any disk/volume on a user's system.

Often times, backups are automated and scheduled through Scheduled Tasks.

If you notice there are Scheduled Tasks (ScheduledTasks.tkape) for Macrium Reflect, then this target is for you!

This target will copy out all log files that'll show when and where backups were made.

Another location to check for Macrium Reflect artifacts is Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree in the SOFTWARE registry hive.

.\Macrium\Reflect\ contains a Consolidate.log file, which contains a play-by-play of when backups occur and their destination. There will also be daily logs for scheduled backups.

.\Macrium\Macrium Service\ contains logs that are similar to running --debug or --trace in KAPE, which provide more information than you really need.

.\Macrium\Macrium Launcher\ contains logs that give a play-by-play of the program's events on a given day.

// description

// paths

// collection commands

// notes

description

paths

collection commands

notes