dfirhub

RemoteDesktopManager

Appsv1

Author: ogmini

description

A Target to collect files that are related to Remote Desktop Manager from Devolutions

paths

6 paths
ConfigurationSQLite Data Sources
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManager*.db

SQLite database of connections and settings. Connections.db is the default. There can be others in different locations. This will only pick up db files in the default location.

ConfigurationXML Data Sources
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManager*.xml

XML of connections and settings. Connections.xml is the default. There can be others in different locations. This will only pick up XML files in the default location."

LogsConnections.log
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManagerConnections.log

Log file for connections.

ConfigurationRemoteDesktopManager.cfg
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManagerRemoteDesktopManager.cfg

Configuration settings.

XMLMost Recently Used XML
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManager\*\Mru.xml

XML file of most recently used connections.

XMLFavorites XML
C:\Users\%user%\AppData\Local\Devolutions\RemoteDesktopManager\*\Favorites.xml

XML file of Favorited connections.

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: RemoteDesktopManager
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. SQLite Data Sources
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourcePath "$UserPath\*.db" -FolderName "SQLite_Data_Sources"

# 2. XML Data Sources
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourcePath "$UserPath\*.xml" -FolderName "XML_Data_Sources"

# 3. Connections.log
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourcePath "$UserPath\Connections.log" -FolderName "Connections_log"

# 4. RemoteDesktopManager.cfg
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourcePath "$UserPath\RemoteDesktopManager.cfg" -FolderName "RemoteDesktopManager_cfg"

# 5. Most Recently Used XML
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager\*\"
Collect-Artifact -SourcePath "$UserPath\Mru.xml" -FolderName "Most_Recently_Used_XML"

# 6. Favorites XML
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager\*\"
Collect-Artifact -SourcePath "$UserPath\Favorites.xml" -FolderName "Favorites_XML"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references