Nicotine++
Author: Andrew Rathbun
description
Nicotine++
paths
C:\Users\%User%\AppData\Roaming\nicotine\logsLocates Nicotine++ chat logs, room logs, transfer logs, and debug logs (if enabled)
C:\Users\%User%\AppData\Roaming\nicotine\incompleteLocates files that did not finish downloading
C:\Users\%User%\AppData\Roaming\nicotine\buddyfiles.dbLocates a DB that appears to include shared files from a user's buddy list
C:\Users\%User%\AppData\Roaming\nicotine\buddystreams.dbLocates a DB that appears to include shared files from a user's buddy list
C:\Users\%User%\AppData\Roaming\nicotine\buddymtimes.dbLocates a DB that appears to enumerate which files the user is sharing to their buddy list, from a folder level
C:\Users\%User%\AppData\Roaming\nicotine\buddyfileindex.dbLocates a DB that appears to enumerate which files the user is sharing to their buddy list, from a file level
C:\Users\%User%\AppData\Roaming\nicotinebuddywordindex.dbUnknown what this is for at this time
C:\Users\%User%\AppData\Roaming\nicotine\configLocates config files
C:\Users\%User%\AppData\Roaming\nicotine\usersharesLocates a DB that appears to store a list of files per user that they are sharing within Nicotine++. Note: this requires the user to right-click -> browse files shared by that user
C:\Users\%User%\AppData\Roaming\nicotinedownloads.json*Locates downloads.json
C:\Users\%User%\AppData\Roaming\nicotineuploads.json*Locates uploads.json
collection commands
# PowerShell Artifact Collection Script
# Target: Nicotine++
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Nicotine++ Logs
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\logs\*" -FolderName "Nicotine___Logs"
# 2. Nicotine++ Incomplete Downloads
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\incomplete\*" -FolderName "Nicotine___Incomplete_Downloads"
# 3. Nicotine++ Buddyfiles.db
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\\buddyfiles.db" -FolderName "Nicotine___Buddyfiles_db"
# 4. Nicotine++ Buddystreams.db
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\\buddystreams.db" -FolderName "Nicotine___Buddystreams_db"
# 5. Nicotine++ Buddymtimes.db
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\\buddymtimes.db" -FolderName "Nicotine___Buddymtimes_db"
# 6. Nicotine++ Buddyfileindex.db
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\\buddyfileindex.db" -FolderName "Nicotine___Buddyfileindex_db"
# 7. Nicotine++ Buddywordindex.db
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\buddywordindex.db" -FolderName "Nicotine___Buddywordindex_db"
# 8. Nicotine++ Config Files
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\config\*" -FolderName "Nicotine___Config_Files"
# 9. Nicotine++ User Shares
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\usershares\*" -FolderName "Nicotine___User_Shares"
# 10. Nicotine++ Downloads.json
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\downloads.json*" -FolderName "Nicotine___Downloads_json"
# 11. Nicotine++ Uploads.json
Collect-Artifact -SourcePath "C:\Users\%User%\AppData\Roaming\nicotine\uploads.json*" -FolderName "Nicotine___Uploads_json"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Open in CyberChef to decode values extracted from this artifact.