dfirhub

NewsbinPro

P2Pv1

Author: Andrew Rathbun

description

Newsbin Pro

paths

1 path
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: NewsbinPro
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Usenet Clients - Newsbin Pro
        $UserPath = "$($_.FullName)\AppData\Local\Newsbin"
        Collect-Artifact -SourceDir $UserPath -FileMask "Downloaded.db3" -FolderName "Usenet_Clients_Newsbin_Pro_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

notes

During installation, the user is not provided an opportunity to choose the default download folder. However, the user can change it once Newsbin Pro is installed.

Default download location: C:\Users\%user%\Documents\Newsbin\.

In my testing, regardless of where an NZB file resides on your file system, the NZB is replicated into C:\Users\%user%\AppData\Local\Newsbin\Nzbs\%ParentDirectory%\filename.nzb.

As you can see, the parent directory is recreated in the \Nzbs\ directory. To further illustrate, if an NZB is used that's buried 10 folders deep, you will only see the name of the 10th folder recreated after \Nzbs\.

C:\Users\%user%\AppData\Local\Newsbin\Downloaded.db3 is a file that can be opened in a text editor to easily see what the user has attempted to download, regardless of completion status.

Please note, C:\Users\%user%\AppData\Local\Newsbin\ is the default path upon installation and can be easily changed by the user post-installation.

included in collections

UsenetClients