ProtonVPN
Author: Andrew Rathbun, AlliedPterodactyl
description
ProtonVPN
paths
collection commands
# PowerShell Artifact Collection Script
# Target: ProtonVPN
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. ProtonVPN - Service Logs
Collect-Artifact -SourceDir "C:\Program Files\Proton\VPN\v*\ServiceData\Logs" -FolderName "ProtonVPN_Service_Logs"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# ProtonVPN - Connection Logs
$UserPath = "$($_.FullName)\AppData\Local\ProtonVPN\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "ProtonVPN_Connection_Logs_$UserName"
# ProtonVPN - Connection Logs
$UserPath = "$($_.FullName)\AppData\Local\Proton\Proton VPN\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "ProtonVPN_Connection_Logs_$UserName"
# ProtonVPN - Configuration
$UserPath = "$($_.FullName)\AppData\Local\Proton\Proton VPN\Storage"
Collect-Artifact -SourceDir $UserPath -FolderName "ProtonVPN_Configuration_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
ProtonVPN is a VPN application made by the people who make ProtonMail.
Logs are stored at the above location and, while they don't provide much information that can be parsed, you will be able to see when the user was connected to ProtonVPN.
Logs appear to follow the following convention: app.YYYY.MM.DD.0.txt, although the 0 could increment if the log gets too large, presumably. One log per day.
When I tested connecting to VPN and then disconnecting shortly thereafter, I found the following entries in the app.txt file:
2020-09-04 06:48:29.1233 INFO Connect requested
2020-09-04 06:48:43.6800 INFO Disconnect requested
Target v1.1, tested from Proton VPN v4.3.11
- Log file names are now in the format client-logs.txt and service-logs.txt respectively, with logs rolling over at ~400KB and renamed e.g. client-logs.1.txt
- client-logs.txt include connection events, connected VPN server external IP and window focus, service-logs.txt include VPN connection RemoteIP and wireguard server IP