MultiCommander
Author: Andrew Rathbun
description
Multi Commander
paths
collection commands
# PowerShell Artifact Collection Script
# Target: MultiCommander
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Multi Commander - Application Folder
$UserPath = "$($_.FullName)\AppData\Local\MultiCommander*"
Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Application_Folder_$UserName"
# Multi Commander - Config Folder
$UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\Config"
Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Config_Folder_$UserName"
# Multi Commander - Log Folder
$UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_Log_Folder_$UserName"
# Multi Commander - UserData Folder
$UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*\UserData"
Collect-Artifact -SourceDir $UserPath -FolderName "Multi_Commander_UserData_Folder_$UserName"
# Multi Commander - Log File
$UserPath = "$($_.FullName)\AppData\Roaming\MultiCommander*"
Collect-Artifact -SourceDir $UserPath -FileMask "*MultiCommander.log" -FolderName "Multi_Commander_Log_File_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
Multi Commander is a freeware Windows File Explorer replacement similar to Total Commander.
Application folder will have lots of standard XML files that ship with Multi Commander.
Config folder will have lots of XML files and folders related to Extensions and Scripts installed by the user.
Log folder will contain multiple .log files depending on which activity the user engaged in. During my testing, my Log folder contained the following:
2021-04-03-(2244)-FileOperations.log
2021-04-03-(2244)-Filesystem.log
2021-04-03-(2244)-FTP-192.168.131.123.log
2021-04-03-(2244)-MultiCommander.log
2021-04-03-(4048)-FileOperations.log
2021-04-03-(4048)-Filesystem.log
2021-04-03-(4048)-FTP-192.168.131.123.log
2021-04-03-(4048)-MultiCommander.log
2021-04-03-(15376)-FileOperations.log
2021-04-03-(15376)-Filesystem.log
2021-04-03-(15376)-MultiCommander.log
UserData folder contains an ftpsite.xml file which contains all FTP configurations saved by the user.