Nicotine++

P2Pv1.1

Author: Andrew Rathbun

description

Nicotine++

paths

11 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Nicotine++
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Nicotine++ Logs
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine\logs"
        Collect-Artifact -SourceDir $UserPath -FolderName "Nicotine_Logs_$UserName"
        # Nicotine++ Incomplete Downloads
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine\incomplete"
        Collect-Artifact -SourceDir $UserPath -FolderName "Nicotine_Incomplete_Downloads_$UserName"
        # Nicotine++ Buddyfiles.db
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "buddyfiles.db" -FolderName "Nicotine_Buddyfiles_db_$UserName"
        # Nicotine++ Buddystreams.db
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "buddystreams.db" -FolderName "Nicotine_Buddystreams_db_$UserName"
        # Nicotine++ Buddymtimes.db
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "buddymtimes.db" -FolderName "Nicotine_Buddymtimes_db_$UserName"
        # Nicotine++ Buddyfileindex.db
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "buddyfileindex.db" -FolderName "Nicotine_Buddyfileindex_db_$UserName"
        # Nicotine++ Buddywordindex.db
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "buddywordindex.db" -FolderName "Nicotine_Buddywordindex_db_$UserName"
        # Nicotine++ Config Files
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine\config"
        Collect-Artifact -SourceDir $UserPath -FolderName "Nicotine_Config_Files_$UserName"
        # Nicotine++ User Shares
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine\usershares"
        Collect-Artifact -SourceDir $UserPath -FolderName "Nicotine_User_Shares_$UserName"
        # Nicotine++ Downloads.json
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "downloads.json*" -FolderName "Nicotine_Downloads_json_$UserName"
        # Nicotine++ Uploads.json
        $UserPath = "$($_.FullName)\AppData\Roaming\nicotine"
        Collect-Artifact -SourceDir $UserPath -FileMask "uploads.json*" -FolderName "Nicotine_Uploads_json_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

› cyberchef recipes

URL Decode
Decode URL-encoded strings
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

en.wikipedia.org https://en.wikipedia.org/wiki/Soulseek

nicotine-plus.github.io https://nicotine-plus.github.io/nicotine-plus/

notes

Soulseek is a very popular file sharing client. It's most commonly used for sharing MP3's amongst music enthusiasts. However, any file type can be shared, naturally.

Nicotine++ is simply a more modern GUI for Soulseek

Some logs, like with Soulseek, are stored as .dat files. Open with your favorite text editor that's not named Notepad or Wordpad and you should have an easy enough time using Ctrl+F to search for relevant data.

Chats are stored in plaintext. These can be opened in any text editor and are human readable.

// description

// paths

// collection commands

// references

// notes

description

paths

collection commands

references

notes