MicrosoftToDo
Author: Andrew Rathbun
description
Microsoft To Do
paths
collection commands
# PowerShell Artifact Collection Script
# Target: MicrosoftToDo
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Microsoft To Do - SQLite Database of To Do tasks
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*"
Collect-Artifact -SourceDir $UserPath -FileMask "todosqlite.db*" -FolderName "Microsoft_To_Do_SQLite_Database_of_To_Do_tasks_$UserName"
# Microsoft To Do - User Avatar
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars"
Collect-Artifact -SourceDir $UserPath -FileMask "UserAvatar.jpg" -FolderName "Microsoft_To_Do_User_Avatar_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
references
notes
Microsoft To Do is a useful list-making app for keeping life organized
Thankfully, the tasks and tasks folders a user creates are stored in a SQLite database!
The hierarchy within Microsoft To Do comprises of the following: Group (Optional) -> Task Folders (List) -> Tasks -> Steps
A user can create a Monthly Expenses (i.e. Personal life) List and create a Task (i.e. bills to pay by end of month) and create steps within that Task (i.e. internet, utilities, cell phone, etc) which they can check off as they are completed
Within the Assignments table, one can see where the user assigned a Task to another user with whom the Task Folder (i.e. List, as it's called within the App). An example of this would be one person assigning another the above bills example task
Within the Groups table, there's a list of groups that the user created. Some examples could be Personal Life, Work, Family, etc, where the user can group together related Lists they've created to keep things better organized
Within the Task Folders table, you'll see the higher level folders the user created in which they will organize the Tasks they create
Within the Tasks table, you'll see Tasks that were created by the user
Within the Steps table, you'll see the steps that were assigned for each Task created
Within the Settings table, you'll see the various settings the user enabled or disabled within the App
Within the Members table, you'll see the list of Members that share Lists with each other and their associated Task Folder IDs which are shared between them
Within the Linked Entities table, you'll see items the user attached to a Task, i.e. images, files, etc