OneCommander

Appsv1

Author: Andrew Rathbun

description

One Commander

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: OneCommander
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # One Commander - All Configuration Files
        $UserPath = "$($_.FullName)\OneCommander"
        Collect-Artifact -SourceDir $UserPath -FolderName "One_Commander_All_Configuration_Files_$UserName"
        # One Commander - Other Configuration Files
        $UserPath = "$($_.FullName)\AppData\Local\Apps\2.0\*\*\onec*"
        Collect-Artifact -SourceDir $UserPath -FolderName "One_Commander_Other_Configuration_Files_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

onecommander.com https://onecommander.com/

notes

One Commander is a freeware file manager similar to Total Commander.

\%user%\OneCommander\Logs\OCLog20210404.txt will have a play by play of user activity, however, it doesn't appear to be as verbose as one would expect. I've yet to see exact folder paths specified within this file in my limited testing.

.\%user\OneCommander\Settings\OneCommanderV3.json will have the name of the user's PC.

included in collections

FileExplorerReplacements

// description

// paths

// collection commands

// references

// notes

// included in collections