Mattermost
Author: Andrew Rathbun
description
Mattermost
paths
collection commands
# PowerShell Artifact Collection Script
# Target: Mattermost
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Mattermost - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Mattermost\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Mattermost_Chat_Logs_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
Mattermost is very similar to Slack but differs mainly in that its a self-hosted, open-source alternative to Slack.
Within the IndexedDB folder, there will be another folder that appears to be server-specific. I'm only in one server currently but this folder in particular was named after that server.
Within this server-specific folder, there will be a .log file. Mine was named 000135.log. This is where you should concentrate your analysis.
What is interesting about this file is that it appears to be a timestamped keylogger, of sorts. It appears that recent messages will be stored here (unknown exactly how far back) and timestamped by the keystroke.
For example, for a message typed by the user: "hello", there would be 5 entries in this log (h, he, hel, hell, hello) with each entry being timestamped.
This does not appear to be an exhaustive chat log, by any means. However, something is better than nothing and the timestamped keystrokes is certainly an interesting artifact.