RemoteDesktopManager

# PowerShell Artifact Collection Script
# Target: RemoteDesktopManager
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. SQLite Data Sources
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*.db" -FolderName "SQLite_Data_Sources"

# 2. XML Data Sources
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*.xml" -FolderName "XML_Data_Sources"

# 3. Connections.log
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Connections.log" -FolderName "Connections_log"

# 4. RemoteDesktopManager.cfg
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager"
Collect-Artifact -SourceDir "$UserPath" -FileMask "RemoteDesktopManager.cfg" -FolderName "RemoteDesktopManager_cfg"

# 5. Most Recently Used XML
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Mru.xml" -FolderName "Most_Recently_Used_XML"

# 6. Favorites XML
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Devolutions\RemoteDesktopManager\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favorites.xml" -FolderName "Favorites_XML"

Write-Host "Collection complete!" -ForegroundColor Green