MessagingClients
Compoundv1
Author: Gregor Wegberg
description
Messaging and communication apps
includes (13)
paths
40 pathsfrom 13 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: MessagingClients
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# HexChat Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\HexChat\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "HexChat_Chat_Logs_$UserName"
# IceChat Chat Logs
$UserPath = "$($_.FullName)\AppData\Local\IceChat Networks\IceChat\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "IceChat_Chat_Logs_$UserName"
# mIRC Chat Logs (Vista+)
$UserPath = "$($_.FullName)\AppData\Roaming\mIRC\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "mIRC_Chat_Logs_Vista_$UserName"
# mIRC Chat Logs (2000/XP)
$UserPath = "$($_.FullName)\Application Data\mIRC\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "mIRC_Chat_Logs_2000_XP_$UserName"
# Cisco Jabber Database
$UserPath = "$($_.FullName)\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db" -FolderName "Cisco_Jabber_Database_$UserName"
# Discord Cache Files
$UserPath = "$($_.FullName)\AppData\Roaming\discord\cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Discord_Cache_Files_$UserName"
# Discord Local Storage LevelDB Files
$UserPath = "$($_.FullName)\AppData\Roaming\discord\local storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Discord_Local_Storage_LevelDB_Files_$UserName"
# Mattermost - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Mattermost\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Mattermost_Chat_Logs_$UserName"
# Microsoft Teams IndexedDB Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_IndexedDB_Cache_$UserName"
# Microsoft Teams Local Storage Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Local_Storage_Cache_$UserName"
# Microsoft Teams Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Cache_$UserName"
# Microsoft Teams Config
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams"
Collect-Artifact -SourceDir $UserPath -FileMask "desktop-config.json" -FolderName "Microsoft_Teams_Config_$UserName"
# Microsoft Teams Logs (Windows 11)
$UserPath = "$($_.FullName)\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Logs_Windows_11_$UserName"
# Signal Attachments cache
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\attachments.noindex"
Collect-Artifact -SourceDir $UserPath -FolderName "Signal_Attachments_cache_$UserName"
# Signal Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Signal_Logs_$UserName"
# Signal config.json
$UserPath = "$($_.FullName)\AppData\Roaming\Signal"
Collect-Artifact -SourceDir $UserPath -FileMask "config.json" -FolderName "Signal_config_json_$UserName"
# Signal Database
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\sql"
Collect-Artifact -SourceDir $UserPath -FileMask "db.sqlite" -FolderName "Signal_Database_$UserName"
# main.db (App <v12)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_App_v12_$UserName"
# skype.db (App +v12)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*"
Collect-Artifact -SourceDir $UserPath -FileMask "skype.db" -FolderName "skype_db_App_v12_$UserName"
# main.db XP
$UserPath = "$($_.FullName)\Application Data\Skype\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_XP_$UserName"
# main.db Win7+
$UserPath = "$($_.FullName)\AppData\Roaming\Skype\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_Win7_$UserName"
# s4l-[username].db (App +v8)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState"
Collect-Artifact -SourceDir $UserPath -FileMask "s4l-*.db" -FolderName "s4l_username_db_App_v8_$UserName"
# leveldb (Skype for Desktop +v8)
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "leveldb_Skype_for_Desktop_v8_$UserName"
# Skype for Destkop v8+ Chromium Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Skype for Desktop\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Skype_for_Destkop_v8_Chromium_Cache_$UserName"
# Slack - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Chat_Logs_$UserName"
# Slack LevelDB Files
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_LevelDB_Files_$UserName"
# Slack Electron Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Electron_Logs_$UserName"
# Slack Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Cache_$UserName"
# Slack Storage
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\storage"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Storage_$UserName"
# Telegram app folder
$UserPath = "$($_.FullName)\AppData\Roaming\Telegram Desktop"
Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_app_folder_$UserName"
# Telegram downloaded files
$UserPath = "$($_.FullName)\Downloads\Telegram Desktop"
Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_downloaded_files_$UserName"
# Viber Config Database
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC"
Collect-Artifact -SourceDir $UserPath -FileMask "config.db" -FolderName "Viber_Config_Database_$UserName"
# Viber Users Data Database
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*"
Collect-Artifact -SourceDir $UserPath -FileMask "viber.db" -FolderName "Viber_Users_Data_Database_$UserName"
# Viber Users Avatars Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Avatars"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Avatars_Cache_$UserName"
# Viber Users Backgrounds Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Backgrounds"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Backgrounds_Cache_$UserName"
# Viber Users Thumbnails Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Thumbnails"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Thumbnails_Cache_$UserName"
# WhatsApp Cache
$UserPath = "$($_.FullName)\AppData\Roaming\WhatsApp\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "WhatsApp_Cache_$UserName"
# WhatsApp Local Storage
$UserPath = "$($_.FullName)\AppData\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "WhatsApp_Local_Storage_$UserName"
# Microsoft Store WhatsApp Cache
$UserPath = "$($_.FullName)\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Store_WhatsApp_Cache_$UserName"
# Microsoft Store WhatsApp Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Store_WhatsApp_Local_Storage_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 11 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
notes
For those looking to contribute to this list, check here for ideas:
- https://en.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients
- https://en.wikipedia.org/wiki/Comparison_of_user_features_of_messaging_platforms
Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.