dfirhub

ProgramExecution

Compoundv1

Author: Max Zabuty

description

Program Execution Triage Collection

includes (12)

paths

34 pathsfrom 12 targets
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: ProgramExecution
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Amcache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"

# 2. Amcache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"

# 3. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"

# 4. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"

# 5. AppCompat PCA Folder
Collect-Artifact -SourceDir "C:\Windows\appcompat\pca" -FolderName "AppCompat_PCA_Folder"

# 6. Prefetch
Collect-Artifact -SourceDir "C:\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"

# 7. Prefetch
Collect-Artifact -SourceDir "C:\Windows.old\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"

# 8. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"

# 9. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"

# 10. Syscache
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve" -FolderName "Syscache"

# 11. Syscache transaction files
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve.LOG*" -FolderName "Syscache_transaction_files"

# 12. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 13. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Program Files\Amazon\Ec2ConfigService\Scripts\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 14. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\System32\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 15. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\PSTranscript\20*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"

# 16. PowerShell Console Log Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_Systemprofile"

# 17. PowerShell Console Log WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_WOW64_Systemprofile"

# 18. WBEM
Collect-Artifact -SourceDir "C:\Windows\System32\wbem\Repository" -FolderName "WBEM"

# 19. WBEM
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\wbem\Repository" -FolderName "WBEM"

# 20. WER Files
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\WER" -FolderName "WER_Files"

# 21. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"

# 22. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows.old\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"

# 23. .NET CLR UsageLogs (system-scoped)
Collect-Artifact -SourceDir "C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*" -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_system_scoped"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # PowerShell Transcripts - Default Location
        $UserPath = "$($_.FullName)\Documents"
        Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Default_Location_$UserName"
        # PowerShell Transcripts - Observed Location
        $UserPath = "$($_.FullName)\Documents\20*"
        Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location_$UserName"
        # PowerShell Console Log
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"
        Collect-Artifact -SourceDir $UserPath -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_$UserName"
        # PowerShell ISE - AutoSave Files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.ps1" -FolderName "PowerShell_ISE_AutoSave_Files_$UserName"
        # PowerShell ISE - User Config
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.config" -FolderName "PowerShell_ISE_User_Config_$UserName"
        # WER Files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\WER"
        Collect-Artifact -SourceDir $UserPath -FolderName "WER_Files_$UserName"
        # Crash Dumps
        $UserPath = "$($_.FullName)\AppData\Local\CrashDumps"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.dmp" -FolderName "Crash_Dumps_$UserName"
        # ActivitiesCache.db
        $UserPath = "$($_.FullName)\AppData\Local\ConnectedDevicesPlatform"
        Collect-Artifact -SourceDir $UserPath -FileMask "ActivitiesCache.db*" -FolderName "ActivitiesCache_db_$UserName"
        # JumpLists from CustomDestinations
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations"
        Collect-Artifact -SourceDir $UserPath -FolderName "JumpLists_from_CustomDestinations_$UserName"
        # JumpLists from CustomDestinations
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations"
        Collect-Artifact -SourceDir $UserPath -FolderName "JumpLists_from_CustomDestinations_$UserName"
        # .NET CLR UsageLogs (user-scoped)
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\CLR_*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_user_scoped_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 12 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

notes

Collecting different artifacts related to program execution on the host