Nicotine++
P2Pv1.1
Author: Andrew Rathbun
description
Nicotine++
paths
11 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: Nicotine++
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. Nicotine++ Logs
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\logs" -FolderName "Nicotine___Logs"
# 2. Nicotine++ Incomplete Downloads
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\incomplete" -FolderName "Nicotine___Incomplete_Downloads"
# 3. Nicotine++ Buddyfiles.db
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\" -FileMask "buddyfiles.db" -FolderName "Nicotine___Buddyfiles_db"
# 4. Nicotine++ Buddystreams.db
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\" -FileMask "buddystreams.db" -FolderName "Nicotine___Buddystreams_db"
# 5. Nicotine++ Buddymtimes.db
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\" -FileMask "buddymtimes.db" -FolderName "Nicotine___Buddymtimes_db"
# 6. Nicotine++ Buddyfileindex.db
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\" -FileMask "buddyfileindex.db" -FolderName "Nicotine___Buddyfileindex_db"
# 7. Nicotine++ Buddywordindex.db
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine" -FileMask "buddywordindex.db" -FolderName "Nicotine___Buddywordindex_db"
# 8. Nicotine++ Config Files
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\config" -FolderName "Nicotine___Config_Files"
# 9. Nicotine++ User Shares
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine\usershares" -FolderName "Nicotine___User_Shares"
# 10. Nicotine++ Downloads.json
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine" -FileMask "downloads.json*" -FolderName "Nicotine___Downloads_json"
# 11. Nicotine++ Uploads.json
Collect-Artifact -SourceDir "C:\Users\%User%\AppData\Roaming\nicotine" -FileMask "uploads.json*" -FolderName "Nicotine___Uploads_json"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.