MultiCommander
Appsv1
Author: Andrew Rathbun
description
Multi Commander
paths
5 paths
AppsMulti Commander - Application Folder
C:\Users\%user%\AppData\Local\MultiCommander*\Locates the contents of the Application folder.
AppsMulti Commander - Config Folder
C:\Users\%user%\AppData\Roaming\MultiCommander*\Config\Locates the contents of the Config folder.
AppsMulti Commander - Log Folder
C:\Users\%user%\AppData\Roaming\MultiCommander*\Logs\Locates log file(s) related to user activity within Multi Commander.
AppsMulti Commander - UserData Folder
C:\Users\%user%\AppData\Roaming\MultiCommander*\UserData\Locates the contents of the UserData folder.
AppsMulti Commander - Log File
C:\Users\%user%\AppData\Roaming\MultiCommander*\*MultiCommander.logLocates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention.
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: MultiCommander
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Multi Commander - Application Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\MultiCommander*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Multi_Commander___Application_Folder"
# 2. Multi Commander - Config Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\MultiCommander*\Config\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Multi_Commander___Config_Folder"
# 3. Multi Commander - Log Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\MultiCommander*\Logs\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Multi_Commander___Log_Folder"
# 4. Multi Commander - UserData Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\MultiCommander*\UserData\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Multi_Commander___UserData_Folder"
# 5. Multi Commander - Log File
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\MultiCommander*\"
Collect-Artifact -SourcePath "$UserPath\*MultiCommander.log" -FolderName "Multi_Commander___Log_File"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1