PeaZip

Appsv1

Author: Andrew Rathbun

description

PeaZip

paths

1 path

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: PeaZip
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # PeaZip Configuration Files
        $UserPath = "$($_.FullName)\AppData\Roaming\PeaZip"
        Collect-Artifact -SourceDir $UserPath -FolderName "PeaZip_Configuration_Files_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

notes

This directory contained the following files in my research VM:

C:\Users\*\AppData\Roaming\PeaZip\conf-lastgood.txt

C:\Users\*\AppData\Roaming\PeaZip\custedit.txt

C:\Users\*\AppData\Roaming\PeaZip\bookmarks.txt

C:\Users\*\AppData\Roaming\PeaZip\conf.txt

The two conf*.txt files contained a history of archives that were recently opened with PeaZip

Each file was identical to each other and had 650ish lines of data after about 10 minutes of testing with PeaZip. Except much more for a user who uses PeaZip as their primary archiving program

Bookmarks.txt appeared to contain entries for the default bookmarks that ship with PeaZip as well as user added bookmarks

Within this file, it stores the equivalent to a Shellbags-esque timestamp for the first time the user navigated to the bookmark and the last time

The most recently visited timestamp is overwritten each time the user visits that bookmark and a number above the timestamps is incremented for each visits

For instance, my Bookmarks.txt had this entry:

2021-03-28 15:37:36

2021-03-28 11:02:20

C:\Users\%user$\Downloads

// description

// paths

// collection commands

// notes

description

paths

collection commands

notes