SANS_Triage
Compoundv1.5
Author: Mark Hallman
description
SANS Triage Collection
includes (143)
+
3
more targets
paths
1262 pathsfrom 143 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: SANS_Triage
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Avast AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log" -FolderName "Avast_AV_Logs_XP"
# 2. Avast AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Avast\Log" -FolderName "Avast_AV_Logs"
# 3. Avast AV Index
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Avast\Chest" -FileMask "index.xml" -FolderName "Avast_AV_Index"
# 4. Avast Persistent Data Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Persistent Data\Avast\Logs" -FolderName "Avast_Persistent_Data_Logs"
# 5. Avast Icarus Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avast Software\Icarus\Logs" -FolderName "Avast_Icarus_Logs"
# 6. AVG AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\log" -FolderName "AVG_AV_Logs_XP"
# 7. AVG AV Report Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\report" -FolderName "AVG_AV_Report_Logs_XP"
# 8. AVG AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus\log" -FolderName "AVG_AV_Logs"
# 9. AVG Report Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus\report" -FolderName "AVG_Report_Logs"
# 10. AVG Persistent Logs
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Persistent Data\Antivirus\Logs" -FolderName "AVG_Persistent_Logs"
# 11. AVG FileInfo DB
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus" -FileMask "FileInfo2.db" -FolderName "AVG_FileInfo_DB"
# 12. AVG lsdbj2 JSON
Collect-Artifact -SourceDir "C:\ProgramData\AVG\Antivirus" -FileMask "lsdb2.json" -FolderName "AVG_lsdbj2_JSON"
# 13. Avira Activity Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\Antivirus\LOGFILES" -FolderName "Avira_Activity_Logs"
# 14. Avira Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\Security\Logs" -FolderName "Avira_Security_Logs"
# 15. Avira VPN Logs
Collect-Artifact -SourceDir "C:\ProgramData\Avira\VPN" -FolderName "Avira_VPN_Logs"
# 16. Bitdefender Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Bitdefender\Endpoint Security\Logs" -FolderName "Bitdefender_Endpoint_Security_Logs"
# 17. Bitdefender Internet Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\Bitdefender\Desktop\Profiles\Logs" -FolderName "Bitdefender_Internet_Security_Logs"
# 18. Bitdefender SQLite DB Files
Collect-Artifact -SourceDir "C:\Program Files*\Bitdefender*" -FileMask "regex:*.+\.(db|db-wal|db-shm)" -FolderName "Bitdefender_SQLite_DB_Files"
# 19. ComboFix
Collect-Artifact -SourceDir "C:" -FileMask "ComboFix.txt" -FolderName "ComboFix"
# 20. CrowdStrike Falcon Quarantined File
Collect-Artifact -SourceDir "C:\Windows\System32\Drivers\CrowdStrike\Quarantine" -FolderName "CrowdStrike_Falcon_Quarantined_File"
# 21. Cybereason Anti-Ransomware Logs
Collect-Artifact -SourceDir "C:\ProgramData\crs1\Logs" -FolderName "Cybereason_Anti_Ransomware_Logs"
# 22. Cybereason Sensor Communications and Anti-Malware Logs
Collect-Artifact -SourceDir "C:\ProgramData\apv2\Logs" -FolderName "Cybereason_Sensor_Communications_and_Anti_Malware_Logs"
# 23. Cybereason Application Control and NGAV Logs
Collect-Artifact -SourceDir "C:\ProgramData\crb1\Logs" -FolderName "Cybereason_Application_Control_and_NGAV_Logs"
# 24. Cylance ProgramData Logs
Collect-Artifact -SourceDir "C:\ProgramData\Cylance\Desktop" -FolderName "Cylance_ProgramData_Logs"
# 25. Cylance Optics Logs
Collect-Artifact -SourceDir "C:\ProgramData\Cylance\Optics\Log" -FolderName "Cylance_Optics_Logs"
# 26. Cylance Program Files Logs
Collect-Artifact -SourceDir "C:\Program Files\Cylance\Desktop\log" -FolderName "Cylance_Program_Files_Logs"
# 27. Elastic Defend Logs
Collect-Artifact -SourceDir "C:\Program Files\Elastic\Endpoint\state\log" -FileMask "*.log" -FolderName "Elastic_Defend_Logs"
# 28. Elastic Defend Quarantine
Collect-Artifact -SourceDir "C:\.equarantine" -FileMask "*" -FolderName "Elastic_Defend_Quarantine"
# 29. Elastic Defend Quarantine
Collect-Artifact -SourceDir "C:\Program Files\Elastic\Endpoint\state\.equarantine" -FileMask "*" -FolderName "Elastic_Defend_Quarantine"
# 30. Emsisoft Scan Logs
Collect-Artifact -SourceDir "C:\ProgramData\Emsisoft\Reports" -FileMask "scan*.txt" -FolderName "Emsisoft_Scan_Logs"
# 31. ESET NOD32 AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs" -FolderName "ESET_NOD32_AV_Logs_XP"
# 32. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs" -FolderName "ESET_NOD32_AV_Logs"
# 33. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET Security\Logs" -FolderName "ESET_NOD32_AV_Logs"
# 34. ESET Remote Administrator Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs" -FolderName "ESET_Remote_Administrator_Logs"
# 35. SYSTEM user quarantine
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine" -FolderName "SYSTEM_user_quarantine"
# 36. F-Secure Logs
Collect-Artifact -SourceDir "C:\ProgramData\F-Secure\Log" -FolderName "F_Secure_Logs"
# 37. F-Secure Scheduled Scan Reports
Collect-Artifact -SourceDir "C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports" -FolderName "F_Secure_Scheduled_Scan_Reports"
# 38. HitmanPro Logs
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro\Logs" -FolderName "HitmanPro_Logs"
# 39. HitmanPro Alert Logs
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro.Alert\Logs" -FolderName "HitmanPro_Alert_Logs"
# 40. HitmanPro Database
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro.Alert" -FileMask "excalibur.db" -FolderName "HitmanPro_Database"
# 41. HitmanPro Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\HitmanPro\Quarantine" -FolderName "HitmanPro_Quarantine"
# 42. MalwareBytes Anti-Malware Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs" -FileMask "mbam-log-*.xml" -FolderName "MalwareBytes_Anti_Malware_Logs"
# 43. MalwareBytes Anti-Malware Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\MBAMService\logs" -FileMask "mbamservice.log*" -FolderName "MalwareBytes_Anti_Malware_Service_Logs"
# 44. MalwareBytes Anti-Malware Scan Results Logs
Collect-Artifact -SourceDir "C:\ProgramData\Malwarebytes\MBAMService\ScanResults" -FolderName "MalwareBytes_Anti_Malware_Scan_Results_Logs"
# 45. McAfee Desktop Protection Logs XP
Collect-Artifact -SourceDir "C:\Users\All Users\Application Data\McAfee\DesktopProtection" -FolderName "McAfee_Desktop_Protection_Logs_XP"
# 46. McAfee Desktop Protection Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\DesktopProtection" -FolderName "McAfee_Desktop_Protection_Logs"
# 47. McAfee Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs" -FolderName "McAfee_Endpoint_Security_Logs"
# 48. McAfee Endpoint Security Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs_Old" -FolderName "McAfee_Endpoint_Security_Logs"
# 49. McAfee VirusScan Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\VirusScan" -FolderName "McAfee_VirusScan_Logs"
# 50. McAfee MSC Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\MSC\Logs" -FolderName "McAfee_MSC_Logs"
# 51. McAfee Agent Events
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Agent\AgentEvents" -FolderName "McAfee_Agent_Events"
# 52. McAfee Agent Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Agent\logs" -FolderName "McAfee_Agent_Logs"
# 53. McAfee Data Reputation Logs
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\datareputation\Logs" -FolderName "McAfee_Data_Reputation_Logs"
# 54. McAfee Managed VirusScan
Collect-Artifact -SourceDir "C:\ProgramData\Mcafee\Managed\VirusScan\Logs" -FolderName "McAfee_Managed_VirusScan"
# 55. McAfee Agent Events XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents" -FolderName "McAfee_Agent_Events_XP"
# 56. McAfee MC Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\SAE" -FolderName "McAfee_MC_Logs_XP"
# 57. McAfee Data Reputation Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\datreputation\Logs" -FolderName "McAfee_Data_Reputation_Logs_XP"
# 58. McAfee Managed VirusScan Logs XP
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\McAfee\Managed\VirusScan\Logs" -FolderName "McAfee_Managed_VirusScan_Logs_XP"
# 59. McAfee WCF Service Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\DLP\WCF Service\Log" -FolderName "McAfee_WCF_Service_Logs"
# 60. McAfee ePO Logs
Collect-Artifact -SourceDir "C:\ProgramData\McAfee\Endpoint Security\Logs" -FolderName "McAfee_ePO_Logs"
# 61. McAfee ePO Apache Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\Logs" -FolderName "McAfee_ePO_Apache_Logs"
# 62. McAfee ePO DB Events
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events" -FolderName "McAfee_ePO_DB_Events"
# 63. McAfee ePO DB Debug Events
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\Debug" -FolderName "McAfee_ePO_DB_Debug_Events"
# 64. McAfee ePO Server Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs" -FolderName "McAfee_ePO_Server_Logs"
# 65. Windows Safety Scanner Logs
Collect-Artifact -SourceDir "C:\Windows\Debug" -FileMask "msert.log" -FolderName "Windows_Safety_Scanner_Logs"
# 66. RogueKiller Reports
Collect-Artifact -SourceDir "C:\ProgramData\RogueKiller\logs" -FileMask "AdliceReport_*.json" -FolderName "RogueKiller_Reports"
# 67. SecureAge Antvirus Logs
Collect-Artifact -SourceDir "C:\ProgramData\SecureAge Technology\SecureAge\log" -FolderName "SecureAge_Antvirus_Logs"
# 68. SentinelOne EDR Log
Collect-Artifact -SourceDir "C:\programdata\sentinel\logs" -FolderName "SentinelOne_EDR_Log"
# 69. Sophos Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs" -FolderName "Sophos_Logs_XP"
# 70. Sophos Logs
Collect-Artifact -SourceDir "C:\ProgramData\Sophos\*\Logs" -FolderName "Sophos_Logs"
# 71. Sophos Logs
Collect-Artifact -SourceDir "C:\ProgramData\Sophos\Logs" -FolderName "Sophos_Logs"
# 72. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"
# 73. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"
# 74. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"
# 75. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"
# 76. Symantec Endpoint Protection Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV" -FolderName "Symantec_Endpoint_Protection_Logs_XP"
# 77. Symantec Endpoint Protection Logs
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs" -FolderName "Symantec_Endpoint_Protection_Logs"
# 78. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"
# 79. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"
# 80. Symantec Endpoint Protection Quarantine (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine_XP"
# 81. Symantec Endpoint Protection Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine"
# 82. ccSubSDK Database
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK" -FolderName "ccSubSDK_Database"
# 83. registrationInfo.xml
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data" -FileMask "registrationInfo.xml" -FolderName "registrationInfo_xml"
# 84. TotalAV Logs
Collect-Artifact -SourceDir "C:\Program Files*\TotalAV\logs" -FolderName "TotalAV_Logs"
# 85. TotalAV Logs
Collect-Artifact -SourceDir "C:\ProgramData\TotalAV\logs" -FolderName "TotalAV_Logs"
# 86. Trend Micro Logs
Collect-Artifact -SourceDir "C:\ProgramData\Trend Micro" -FolderName "Trend_Micro_Logs"
# 87. Trend Micro Security Agent Report Logs
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\Security Agent\Report" -FileMask "*.log" -FolderName "Trend_Micro_Security_Agent_Report_Logs"
# 88. Trend Micro Security Agent Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\Security Agent\ConnLog" -FileMask "*.log" -FolderName "Trend_Micro_Security_Agent_Connection_Logs"
# 89. Trend Micro Quarantine
Collect-Artifact -SourceDir "C:\Program Files*\Trend Micro\*\Quarantine" -FileMask "*" -FolderName "Trend_Micro_Quarantine"
# 90. VIPRE Business Agent Logs
Collect-Artifact -SourceDir "C:\ProgramData\VIPRE Business Agent\Logs" -FolderName "VIPRE_Business_Agent_Logs"
# 91. Webroot Program Data
Collect-Artifact -SourceDir "C:\ProgramData\WRData" -FileMask "WRLog.log" -FolderName "Webroot_Program_Data"
# 92. Windows Defender Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Microsoft AntiMalware\Support" -FolderName "Windows_Defender_Logs"
# 93. Windows Defender Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\Logs" -FileMask "Microsoft-Windows-Windows Defender*.evtx" -FolderName "Windows_Defender_Event_Logs"
# 94. Windows Defender Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\Logs" -FileMask "Microsoft-Windows-Windows Defender*.evtx" -FolderName "Windows_Defender_Event_Logs"
# 95. Windows Defender Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Support" -FolderName "Windows_Defender_Logs"
# 96. Windows Defender Logs
Collect-Artifact -SourceDir "C:\Windows\Temp" -FileMask "MpCmdRun.log" -FolderName "Windows_Defender_Logs"
# 97. Windows Defender Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Temp" -FileMask "MpCmdRun.log" -FolderName "Windows_Defender_Logs"
# 98. DetectionHistory
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*" -FolderName "DetectionHistory"
# 99. Windows Defender Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Quarantine" -FolderName "Windows_Defender_Quarantine"
# 100. Windows Defender Detections.log
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" -FileMask "Detections.log" -FolderName "Windows_Defender_Detections_log"
# 101. Rclone config - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_Folder"
# 102. Rclone config - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask ".rclone.conf" -FolderName "Rclone_config_SYSTEM_User_Folder"
# 103. Rclone config - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask ".rclone.conf" -FolderName "Rclone_config_LocalService_User_Folder"
# 104. Rclone config - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask ".rclone.conf" -FolderName "Rclone_config_NetworkService_User_Folder"
# 105. Rclone config - SYSTEM SysWOW64 User .config Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder"
# 106. Rclone config - SYSTEM User .config Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder"
# 107. Rclone config - LocalService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder"
# 108. Rclone config - NetworkService User .config Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\.config\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder"
# 109. Rclone config - SYSTEM SysWOW64 User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_XDG_CONFIG_HOME_Default"
# 110. Rclone config - SYSTEM User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_XDG_CONFIG_HOME_Default"
# 111. Rclone config - LocalService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 112. Rclone config - NetworkService User config Folder - XDG_CONFIG_HOME Default
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_XDG_CONFIG_HOME_Default"
# 113. Rclone config - SYSTEM SysWOW64 User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_SysWOW64_User_config_Folder_Roaming"
# 114. Rclone config - SYSTEM User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_SYSTEM_User_config_Folder_Roaming"
# 115. Rclone config - LocalService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_LocalService_User_config_Folder_Roaming"
# 116. Rclone config - NetworkService User config Folder - Roaming
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\rclone" -FileMask "rclone.conf" -FolderName "Rclone_config_NetworkService_User_config_Folder_Roaming"
# 117. Rclone config - SysWOW64 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\SysWOW64" -FileMask "rclone.conf" -FolderName "Rclone_config_SysWOW64_Sideloaded_Config"
# 118. Rclone config - System32 Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows\System32" -FileMask "rclone.conf" -FolderName "Rclone_config_System32_Sideloaded_Config"
# 119. Rclone config - Windows Sideloaded Config
Collect-Artifact -SourceDir "C:\Windows" -FileMask "rclone.conf" -FolderName "Rclone_config_Windows_Sideloaded_Config"
# 120. Rclone config - Recursive
Collect-Artifact -SourceDir "C:" -FileMask "rclone.conf" -FolderName "Rclone_config_Recursive"
# 121. Rclone config fallback - Recursive
Collect-Artifact -SourceDir "C:" -FileMask ".rclone.conf" -FolderName "Rclone_config_fallback_Recursive"
# 122. Event logs XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "*.evt" -FolderName "Event_logs_XP"
# 123. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"
# 124. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"
# 125. WDI Trace Logs 1
Collect-Artifact -SourceDir "C:\Windows\System32\WDI\LogFiles" -FileMask "*.etl*" -FolderName "WDI_Trace_Logs_1"
# 126. WDI Trace Logs 1
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\WDI\LogFiles" -FileMask "*.etl*" -FolderName "WDI_Trace_Logs_1"
# 127. WDI Trace Logs 2
Collect-Artifact -SourceDir "C:\Windows\System32\WDI\{*" -FolderName "WDI_Trace_Logs_2"
# 128. WDI Trace Logs 2
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\WDI\{*" -FolderName "WDI_Trace_Logs_2"
# 129. WMI Trace Logs
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\WMI" -FolderName "WMI_Trace_Logs"
# 130. WMI Trace Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\LogFiles\WMI" -FolderName "WMI_Trace_Logs"
# 131. SleepStudy Trace Logs
Collect-Artifact -SourceDir "C:\Windows\System32\SleepStudy" -FolderName "SleepStudy_Trace_Logs"
# 132. SleepStudy Trace Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\SleepStudy" -FolderName "SleepStudy_Trace_Logs"
# 133. Energy-NTKL Trace Logs
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics" -FileMask "energy-ntkl.etl" -FolderName "Energy_NTKL_Trace_Logs"
# 134. Delivery Optimization Trace Logs
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs" -FileMask "*.etl*" -FolderName "Delivery_Optimization_Trace_Logs"
# 135. PowerShell Console Log Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_Systemprofile"
# 136. PowerShell Console Log WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine" -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_WOW64_Systemprofile"
# 137. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"
# 138. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Program Files\Amazon\Ec2ConfigService\Scripts\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"
# 139. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\Windows\System32\*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"
# 140. PowerShell Transcripts - Observed Location
Collect-Artifact -SourceDir "C:\PSTranscript\20*" -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location"
# 141. Windows Firewall Logs
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\Firewall" -FileMask "pfirewall.*" -FolderName "Windows_Firewall_Logs"
# 142. Windows Firewall Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\LogFiles\Firewall" -FileMask "pfirewall.*" -FolderName "Windows_Firewall_Logs"
# 143. Setupapi.log XP
Collect-Artifact -SourceDir "C:\Windows" -FileMask "setupapi.log" -FolderName "Setupapi_log_XP"
# 144. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"
# 145. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"
# 146. .NET CLR UsageLogs (system-scoped)
Collect-Artifact -SourceDir "C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*" -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_system_scoped"
# 147. Group Policy Files
Collect-Artifact -SourceDir "C:\Windows\System32\grouppolicy" -FolderName "Group_Policy_Files"
# 148. Computer Group Policy files
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Group Policy\History" -FolderName "Computer_Group_Policy_files"
# 149. Local Group Policy INI Files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\grouppolicy" -FileMask "*.ini" -FolderName "Local_Group_Policy_INI_Files"
# 150. Local Group Policy Files - Registry Policy Files
Collect-Artifact -SourceDir "C:\Windows\System32\grouppolicy" -FileMask "*.pol" -FolderName "Local_Group_Policy_Files_Registry_Policy_Files"
# 151. Local Group Policy Files - Registry Policy Files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\grouppolicy" -FileMask "*.pol" -FolderName "Local_Group_Policy_Files_Registry_Policy_Files"
# 152. Local Group Policy Files - Startup/Shutdown Scripts
Collect-Artifact -SourceDir "C:\Windows\System32\grouppolicy\*\Scripts" -FolderName "Local_Group_Policy_Files_Startup_Shutdown_Scripts"
# 153. Local Group Policy Files - Startup/Shutdown Scripts
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\grouppolicy\*\Scripts" -FolderName "Local_Group_Policy_Files_Startup_Shutdown_Scripts"
# 154. Amcache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 155. Amcache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 156. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 157. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 158. AppCompat PCA Folder
Collect-Artifact -SourceDir "C:\Windows\appcompat\pca" -FolderName "AppCompat_PCA_Folder"
# 159. Prefetch
Collect-Artifact -SourceDir "C:\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 160. Prefetch
Collect-Artifact -SourceDir "C:\Windows.old\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 161. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 162. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 163. Syscache
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve" -FolderName "Syscache"
# 164. Syscache transaction files
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve.LOG*" -FolderName "Syscache_transaction_files"
# 165. $MFT
Collect-Artifact -SourceDir "C:" -FileMask "$MFT" -FolderName "MFT"
# 166. $LogFile
Collect-Artifact -SourceDir "C:" -FileMask "$LogFile" -FolderName "LogFile"
# 167. $J
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$UsnJrnl:$J" -FolderName "J"
# 168. $Max
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$UsnJrnl:$Max" -FolderName "Max"
# 169. $J
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$J" -FolderName "J"
# 170. $Max
Collect-Artifact -SourceDir "C:\$Extend" -FileMask "$Max" -FolderName "Max"
# 171. $SDS
Collect-Artifact -SourceDir "C:" -FileMask "$Secure:$SDS" -FolderName "SDS"
# 172. $SDS
Collect-Artifact -SourceDir "C:" -FileMask "$Secure_$SDS" -FolderName "SDS"
# 173. $Boot
Collect-Artifact -SourceDir "C:" -FileMask "$Boot" -FolderName "Boot"
# 174. $T
Collect-Artifact -SourceDir "C:\$Extend\$RmMetadata\$TxfLog" -FileMask "$Tops:$T" -FolderName "T"
# 175. $T
Collect-Artifact -SourceDir "C:\$Extend\$RmMetadata\$TxfLog" -FileMask "$T" -FolderName "T"
# 176. FileZilla Log Files
Collect-Artifact -SourceDir "C:\Program Files (x86)\FileZilla Server\Logs" -FileMask "*.log*" -FolderName "FileZilla_Log_Files"
# 177. WinSCP (.ini file)
Collect-Artifact -SourceDir "C:" -FileMask "WinSCP.ini" -FolderName "WinSCP_ini_file"
# 178. Robo-FTP User Scripts
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Scripts" -FileMask "*.s" -FolderName "Robo_FTP_User_Scripts"
# 179. Robo-FTP User Debug Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Debug" -FileMask "*.log" -FolderName "Robo_FTP_User_Debug_Logs"
# 180. Robo-FTP User Script/Trace Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\Logs" -FileMask "*" -FolderName "Robo_FTP_User_Script_Trace_Logs"
# 181. Robo-FTP User XML Config
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*" -FileMask "config.xml" -FolderName "Robo_FTP_User_XML_Config"
# 182. Robo-FTP User SSH Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\SSH Keys" -FileMask "*" -FolderName "Robo_FTP_User_SSH_Keys"
# 183. Robo-FTP User SSL Certificates
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates" -FileMask "*" -FolderName "Robo_FTP_User_SSL_Certificates"
# 184. Robo-FTP User PGP Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\UserData\*\PGP Keys" -FileMask "*" -FolderName "Robo_FTP_User_PGP_Keys"
# 185. Robo-FTP SSH Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\SSH Keys" -FileMask "*" -FolderName "Robo_FTP_SSH_Keys"
# 186. Robo-FTP SSL Certificates
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates" -FileMask "*" -FolderName "Robo_FTP_SSL_Certificates"
# 187. Robo-FTP PGP Keys
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\PGP Keys" -FileMask "*" -FolderName "Robo_FTP_PGP_Keys"
# 188. Robo-FTP Debug Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\Debug" -FileMask "*" -FolderName "Robo_FTP_Debug_Logs"
# 189. Robo-FTP Script/Trace Logs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData\Logs" -FileMask "*" -FolderName "Robo_FTP_Script_Trace_Logs"
# 190. Robo-FTP XML Config
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData" -FileMask "config.xml" -FolderName "Robo_FTP_XML_Config"
# 191. Robo-FTP Jobs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP 3.12\ProgramData" -FileMask "SchedulerService.sqlite" -FolderName "Robo_FTP_Jobs"
# 192. Restore point LNK Files XP
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*" -FileMask "*.LNK" -FolderName "Restore_point_LNK_Files_XP"
# 193. LNK Files from C:\ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" -FileMask "*.LNK" -FolderName "LNK_Files_from_C_ProgramData"
# 194. Advanced IP Scanner Aliases - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced IP Scanner 2" -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_Windows_Temp_Folder"
# 195. Advanced IP Scanner Aliases - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_SYSTEM_SysWOW64_User_Folder"
# 196. Advanced IP Scanner Aliases - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_SYSTEM_User_Folder"
# 197. Advanced IP Scanner Aliases - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_LocalService_User_Folder"
# 198. Advanced IP Scanner Aliases - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_NetworkService_User_Folder"
# 199. Advanced IP Scanner Comments - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced IP Scanner 2" -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_Windows_Temp_Folder"
# 200. Advanced IP Scanner Comments - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_SYSTEM_SysWOW64_User_Folder"
# 201. Advanced IP Scanner Comments - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_SYSTEM_User_Folder"
# 202. Advanced IP Scanner Comments - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_LocalService_User_Folder"
# 203. Advanced IP Scanner Comments - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_NetworkService_User_Folder"
# 204. Advanced IP Scanner MAC - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced IP Scanner 2" -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_Windows_Temp_Folder"
# 205. Advanced IP Scanner MAC - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_SYSTEM_SysWOW64_User_Folder"
# 206. Advanced IP Scanner MAC - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_SYSTEM_User_Folder"
# 207. Advanced IP Scanner MAC - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_LocalService_User_Folder"
# 208. Advanced IP Scanner MAC - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_NetworkService_User_Folder"
# 209. Advanced IP Scanner Favorites - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced IP Scanner 2" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_Windows_Temp_Folder"
# 210. Advanced IP Scanner Favorites - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_SYSTEM_SysWOW64_User_Folder"
# 211. Advanced IP Scanner Favorites - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_SYSTEM_User_Folder"
# 212. Advanced IP Scanner Favorites - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_LocalService_User_Folder"
# 213. Advanced IP Scanner Favorites - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_NetworkService_User_Folder"
# 214. Advanced IP Scanner Favorites
Collect-Artifact -SourceDir "C:" -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites"
# 215. Advanced Port Scanner Aliases - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced Port Scanner 2" -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_Windows_Temp_Folder"
# 216. Advanced Port Scanner Aliases - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_SYSTEM_SysWOW64_User_Folder"
# 217. Advanced Port Scanner Aliases - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_SYSTEM_User_Folder"
# 218. Advanced Port Scanner Aliases - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_LocalService_User_Folder"
# 219. Advanced Port Scanner Aliases - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_NetworkService_User_Folder"
# 220. Advanced Port Scanner Comments - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced Port Scanner 2" -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_Windows_Temp_Folder"
# 221. Advanced Port Scanner Comments - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_SYSTEM_SysWOW64_User_Folder"
# 222. Advanced Port Scanner Comments - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_SYSTEM_User_Folder"
# 223. Advanced Port Scanner Comments - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_LocalService_User_Folder"
# 224. Advanced Port Scanner Comments - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_NetworkService_User_Folder"
# 225. Advanced Port Scanner MAC - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced Port Scanner 2" -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_Windows_Temp_Folder"
# 226. Advanced Port Scanner MAC - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_SYSTEM_SysWOW64_User_Folder"
# 227. Advanced Port Scanner MAC - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_SYSTEM_User_Folder"
# 228. Advanced Port Scanner MAC - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_LocalService_User_Folder"
# 229. Advanced Port Scanner MAC - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_NetworkService_User_Folder"
# 230. Advanced Port Scanner Favorites - Windows Temp Folder
Collect-Artifact -SourceDir "C:\Windows\Temp\Advanced Port Scanner 2" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_Windows_Temp_Folder"
# 231. Advanced Port Scanner Favorites - SYSTEM SysWOW64 User Folder
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_SYSTEM_SysWOW64_User_Folder"
# 232. Advanced Port Scanner Favorites - SYSTEM User Folder
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_SYSTEM_User_Folder"
# 233. Advanced Port Scanner Favorites - LocalService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_LocalService_User_Folder"
# 234. Advanced Port Scanner Favorites - NetworkService User Folder
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_NetworkService_User_Folder"
# 235. Advanced Port Scanner Favorites
Collect-Artifact -SourceDir "C:" -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites"
# 236. Netscan XML default output
Collect-Artifact -SourceDir "C:" -FileMask "netscan.xml" -FolderName "Netscan_XML_default_output"
# 237. Recycle Bin - Windows Vista+
Collect-Artifact -SourceDir "C:\$Recycle.Bin" -FileMask "$I*" -FolderName "Recycle_Bin_Windows_Vista"
# 238. RECYCLER - WinXP
Collect-Artifact -SourceDir "C:\RECYCLE*" -FileMask "INFO2" -FolderName "RECYCLER_WinXP"
# 239. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 240. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 241. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 242. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 243. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 244. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 245. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 246. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 247. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 248. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 249. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 250. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 251. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 252. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 253. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 254. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 255. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 256. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 257. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 258. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 259. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 260. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 261. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 262. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 263. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 264. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 265. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 266. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 267. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 268. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 269. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 270. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 271. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 272. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 273. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 274. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 275. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 276. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 277. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 278. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 279. System Restore Points Registry Hives (XP)
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*\snapshot" -FileMask "_REGISTRY_*" -FolderName "System_Restore_Points_Registry_Hives_XP"
# 280. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 281. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 282. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 283. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 284. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Program Files\WindowsApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# 285. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Windows\SystemApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# 286. Action1 Client Application logs
Collect-Artifact -SourceDir "C:\Windows\Action1\logs" -FileMask "*.log" -FolderName "Action1_Client_Application_logs"
# 287. Ammyy Program Data
Collect-Artifact -SourceDir "C:\ProgramData\Ammyy" -FolderName "Ammyy_Program_Data"
# 288. AnyDesk Logs - ProgramData - *.trace
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.trace" -FolderName "AnyDesk_Logs_ProgramData_trace"
# 289. AnyDesk Logs - ProgramData - *.conf
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.conf" -FolderName "AnyDesk_Logs_ProgramData_conf"
# 290. AnyDesk Logs - ProgramData - connection_trace.txt
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_ProgramData_connection_trace_txt"
# 291. AnyDesk Logs - System User Account
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk" -FolderName "AnyDesk_Logs_System_User_Account"
# 292. AnyDesk File Transfer Logs - Installed as a Service
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Installed_as_a_Service"
# 293. DWAgent Log Files
Collect-Artifact -SourceDir "C:\ProgramData\DWAgent*" -FileMask "*.log*" -FolderName "DWAgent_Log_Files"
# 294. ISL AlwaysOn Logs - Sessions List
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "session.xml" -FolderName "ISL_AlwaysOn_Logs_Sessions_List"
# 295. ISL AlwaysOn Logs - Sessions
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*" -FileMask "trace.out" -FolderName "ISL_AlwaysOn_Logs_Sessions"
# 296. ISL AlwaysOn - App Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "*.out" -FolderName "ISL_AlwaysOn_App_Logs"
# 297. ISL AlwaysOn - Email Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status" -FileMask "tray" -FolderName "ISL_AlwaysOn_Email_Configuration"
# 298. ISL AlwaysOn - Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "StaticConfiguration.ini" -FolderName "ISL_AlwaysOn_Configuration"
# 299. ITarian
Collect-Artifact -SourceDir "C:\Program Files\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 300. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 301. Comodo
Collect-Artifact -SourceDir "C:\Program Files\Comodo\Endpoint Manager\rmmlogs" -FolderName "Comodo"
# 302. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs" -FolderName "ITarian"
# 303. Kaseya Agent Endpoint Service Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs_XP"
# 304. Kaseya Agent Endpoint Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs"
# 305. Kaseya Agent Service Log
Collect-Artifact -SourceDir "C:\Program Files*\Kaseya\*" -FileMask "agentmon.log*" -FolderName "Kaseya_Agent_Service_Log"
# 306. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"
# 307. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"
# 308. Kaseya Agent Edge Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\KaseyaEdgeServices" -FolderName "Kaseya_Agent_Edge_Service_Logs"
# 309. Level RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Level" -FileMask "*.log" -FolderName "Level_RMM_Client_Application_logs"
# 310. LogMeIn ProgramData Logs
Collect-Artifact -SourceDir "C:\ProgramData\LogMeIn\Logs" -FolderName "LogMeIn_ProgramData_Logs"
# 311. MeshAgent .msh (configuration) file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.msh" -FolderName "MeshAgent_msh_configuration_file"
# 312. MeshAgent log file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.log" -FolderName "MeshAgent_log_file"
# 313. Net Monitor Server Data
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\data" -FolderName "Net_Monitor_Server_Data"
# 314. Net Monitor Server Config
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Server_Config"
# 315. Net Monitor Server Temp Folder
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\tmp" -FolderName "Net_Monitor_Server_Temp_Folder"
# 316. Net Monitor Client Logs
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\log" -FolderName "Net_Monitor_Client_Logs"
# 317. Net Monitor Client Config
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Client_Config"
# 318. Radmin Server 32bit Log
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_32bit_Log"
# 319. Radmin Server 64bit Log
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_64bit_Log"
# 320. Radmin Server 32bit Chats
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_32bit_Chats"
# 321. Radmin Server 64bit Chats
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_64bit_Chats"
# 322. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"
# 323. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"
# 324. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"
# 325. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"
# 326. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"
# 327. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"
# 328. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"
# 329. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"
# 330. Remco RAT Default path
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_Default_path"
# 331. Remco RAT custom path - AppData screenshots folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots_folder"
# 332. Remco RAT custom path - AppData notess folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess_folder"
# 333. Remco RAT custom path - AppData micrecords folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords_folder"
# 334. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"
# 335. Remco RAT custom path
Collect-Artifact -SourceDir "C:\ProgramData\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path"
# 336. Remco RAT custom path - AppData notess
Collect-Artifact -SourceDir "C:\ProgramData\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess"
# 337. Remco RAT custom path - AppData screenshots
Collect-Artifact -SourceDir "C:\ProgramData\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots"
# 338. Remco RAT custom path - AppData micrecords
Collect-Artifact -SourceDir "C:\ProgramData\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords"
# 339. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\ProgramData\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"
# 340. Remote Manipulator System Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Manipulator System - Host\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs"
# 341. Remote Manipulator System Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs_in_ProgramData"
# 342. Remote Manipulator System Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System" -FileMask "install.log" -FolderName "Remote_Manipulator_System_Install_Log"
# 343. RemoteUtilities Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Utilities - Host\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs"
# 344. RemoteUtilities Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs_in_ProgramData"
# 345. RemoteUtilities Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities" -FileMask "install.log" -FolderName "RemoteUtilities_Install_Log"
# 346. RustDesk logs
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server" -FolderName "RustDesk_logs"
# 347. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "Session.db" -FolderName "ScreenConnect_Session_Database"
# 348. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "User.xml" -FolderName "ScreenConnect_Session_Database"
# 349. ScreenConnect User Config
Collect-Artifact -SourceDir "C:\ProgramData\ScreenConnect Client*" -FileMask "user.config" -FolderName "ScreenConnect_User_Config"
# 350. Splashtop Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Server\log" -FolderName "Splashtop_Log_Files"
# 351. Splashtop Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Temp\log" -FolderName "Splashtop_Log_Files_in_ProgramData"
# 352. Splashtop Gateway Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Splashtop Gateway\log" -FolderName "Splashtop_Gateway_Log_Files"
# 353. Splashtop Enterprise/Business(legacy) Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Splashtop Remote Client for ST*\*\log" -FolderName "Splashtop_Enterprise_Business_legacy_Log_Files_in_ProgramData"
# 354. Supremo Connection Logs
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Log" -FileMask "*.log" -FolderName "Supremo_Connection_Logs"
# 355. Supremo File Transfer Inbox
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Inbox" -FolderName "Supremo_File_Transfer_Inbox"
# 356. TeamViewer Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "connections*.txt" -FolderName "TeamViewer_Connection_Logs"
# 357. TeamViewer Application Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_Logs"
# 358. Unified endpoint management and security solutions from ManageEngine
Collect-Artifact -SourceDir "C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs" -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine"
# 359. UltraViewer System Logs
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer" -FolderName "UltraViewer_System_Logs"
# 360. UltraViewer Service Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "UltraViewerService_log.txt" -FolderName "UltraViewer_Service_Log"
# 361. UltraViewer Connection Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "ConnectionLog.Log" -FolderName "UltraViewer_Connection_Log"
# 362. RealVNC Viewer Log
Collect-Artifact -SourceDir "C:\Users\*\AppData\Local\RealVNC" -FileMask "vncviewer.log" -FolderName "RealVNC_Viewer_Log"
# 363. RealVNC Log
Collect-Artifact -SourceDir "C:\ProgramData\RealVNC-Service" -FileMask "vncserver.log" -FolderName "RealVNC_Log"
# 364. TightVNC Application Logs
Collect-Artifact -SourceDir "C:\ProgramData\TightVNC\Server\Logs" -FolderName "TightVNC_Application_Logs"
# 365. Xeox RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Xeox" -FileMask "*.log" -FolderName "Xeox_RMM_Client_Application_logs"
# 366. Zoho Assist log files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting\log" -FolderName "Zoho_Assist_log_files_in_ProgramData"
# 367. Zoho Assist .conf files
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files"
# 368. Zoho Assist log files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs" -FolderName "Zoho_Assist_log_files_in_Program_Files"
# 369. Zoho Assist .conf files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_Program_Files"
# 370. Zoho Assist .txt files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.txt" -FolderName "Zoho_Assist_txt_files_in_Program_Files"
# 371. at .job
Collect-Artifact -SourceDir "C:\Windows\Tasks" -FileMask "*.job" -FolderName "at_job"
# 372. at .job
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Tasks" -FileMask "*.job" -FolderName "at_job"
# 373. at SchedLgU.txt
Collect-Artifact -SourceDir "C:\Windows" -FileMask "SchedLgU.txt" -FolderName "at_SchedLgU_txt"
# 374. at SchedLgU.txt
Collect-Artifact -SourceDir "C:\Windows.old\Windows" -FileMask "SchedLgU.txt" -FolderName "at_SchedLgU_txt"
# 375. XML
Collect-Artifact -SourceDir "C:\Windows\System32\Tasks" -FolderName "XML"
# 376. XML
Collect-Artifact -SourceDir "C:\Windows\syswow64\Tasks" -FolderName "XML"
# 377. XML
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\Tasks" -FolderName "XML"
# 378. PowerShell Scheduled_Jobs Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs" -FolderName "PowerShell_Scheduled_Jobs_Systemprofile"
# 379. PowerShell Scheduled_Jobs Output Systemprofile
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*" -FolderName "PowerShell_Scheduled_Jobs_Output_Systemprofile"
# 380. PowerShell Scheduled_Jobs WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs" -FolderName "PowerShell_Scheduled_Jobs_WOW64_Systemprofile"
# 381. PowerShell Scheduled_Jobs Output WOW64 Systemprofile
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*" -FolderName "PowerShell_Scheduled_Jobs_Output_WOW64_Systemprofile"
# 382. SRUM
Collect-Artifact -SourceDir "C:\Windows\System32\SRU" -FolderName "SRUM"
# 383. SRUM
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\SRU" -FolderName "SRUM"
# 384. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 385. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 386. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 387. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 388. SUM Database (.mdb files)
Collect-Artifact -SourceDir "C:\Windows\System32\LogFiles\SUM" -FolderName "SUM_Database_mdb_files"
# 389. WER Files
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\WER" -FolderName "WER_Files"
# 390. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"
# 391. Crash Dumps
Collect-Artifact -SourceDir "C:\Windows.old\Windows" -FileMask "*.dmp" -FolderName "Crash_Dumps"
# 392. WBEM
Collect-Artifact -SourceDir "C:\Windows\System32\wbem\Repository" -FolderName "WBEM"
# 393. WBEM
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\wbem\Repository" -FolderName "WBEM"
# 394. BITS files
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Network\Downloader" -FolderName "BITS_files"
# 395. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# 396. SYSTEM Chrome Beta History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Beta\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Beta_History"
# 397. SYSTEM Chrome Dev History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Dev\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Dev_History"
# 398. SYSTEM Chrome SxS History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome SxS\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_SxS_History"
# 399. SYSTEM Chromium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Chromium\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chromium_History"
# 400. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# 401. SYSTEM Supermium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Supermium\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Supermium_History"
# 402. SYSTEM WaveBrowser History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\WaveBrowser\User Data\*" -FileMask "History*" -FolderName "SYSTEM_WaveBrowser_History"
# 403. WindowsIndexSearch
Collect-Artifact -SourceDir "C:\programdata\microsoft\search\data\applications\windows" -FolderName "WindowsIndexSearch"
# 404. GatherLogs
Collect-Artifact -SourceDir "C:\programdata\microsoft\search\data\applications\windows\GatherLogs" -FolderName "GatherLogs"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Avast AV User Logs
$UserPath = "$($_.FullName)\Avast Software\Avast\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "Avast_AV_User_Logs_$UserName"
# Local User Quarantine
$UserPath = "$($_.FullName)\AppData\Local\ESET\ESET Security\Quarantine"
Collect-Artifact -SourceDir $UserPath -FolderName "Local_User_Quarantine_$UserName"
# F-Secure User Logs
$UserPath = "$($_.FullName)\AppData\Local\F-Secure\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "F_Secure_User_Logs_$UserName"
# MalwareBytes Anti-Malware Scan Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "MalwareBytes_Anti_Malware_Scan_Logs_$UserName"
# SUPERAntiSpyware Logs
$UserPath = "$($_.FullName)\AppData\Roaming\SUPERAntiSpyware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "SUPERAntiSpyware_Logs_$UserName"
# Symantec Endpoint Protection User Logs
$UserPath = "$($_.FullName)\AppData\Local\Symantec\Symantec Endpoint Protection\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Symantec_Endpoint_Protection_User_Logs_$UserName"
# VIPRE Business User Logs (v7+)
$UserPath = "$($_.FullName)\AppData\Roaming\VIPRE Business"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_v7_$UserName"
# VIPRE Business User Logs (v5-v6)
$UserPath = "$($_.FullName)\AppData\Roaming\GFI Software\AntiMalware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_v5_v6_$UserName"
# VIPRE Business User Logs (up to v4)
$UserPath = "$($_.FullName)\AppData\Roaming\Sunbelt Software\AntiMalware\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "VIPRE_Business_User_Logs_up_to_v4_$UserName"
# Box Drive Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box\Box"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Drive_Application_Metadata_$UserName"
# Box Sync Application Metadata
$UserPath = "$($_.FullName)\AppData\Local\Box Sync"
Collect-Artifact -SourceDir $UserPath -FolderName "Box_Sync_Application_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "info.json" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\machine_storage"
Collect-Artifact -SourceDir $UserPath -FileMask "tray-thumbnails.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\instance*"
Collect-Artifact -SourceDir $UserPath -FolderName "Dropbox_Metadata_$UserName"
# Google Drive Backup and Sync Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_Backup_and_Sync_Metadata_$UserName"
# Google Drive for Desktop Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\DriveFS"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_Drive_for_Desktop_Metadata_$UserName"
# MegaSync Folder
$UserPath = "$($_.FullName)\AppData\Local\Mega Limited\MEGAsync"
Collect-Artifact -SourceDir $UserPath -FolderName "MegaSync_Folder_$UserName"
# OneDrive User Profile
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\OneDrive"
Collect-Artifact -SourceDir $UserPath -FolderName "OneDrive_User_Profile_$UserName"
# Rclone config - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask ".rclone.conf" -FolderName "Rclone_config_User_Folder_$UserName"
# Rclone config - User .config Folder
$UserPath = "$($_.FullName)\.config\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_$UserName"
# Rclone config - User config Folder - XDG_CONFIG_HOME Default
$UserPath = "$($_.FullName)\AppData\Local\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_XDG_CONFIG_HOME_Default_$UserName"
# Rclone config - User config Folder - Roaming
$UserPath = "$($_.FullName)\AppData\Roaming\rclone"
Collect-Artifact -SourceDir $UserPath -FileMask "rclone.conf" -FolderName "Rclone_config_User_config_Folder_Roaming_$UserName"
# FreeFileSync
$UserPath = "$($_.FullName)\AppData\Roaming\FreeFileSync\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "FreeFileSync_$UserName"
# PowerShell Console Log
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline"
Collect-Artifact -SourceDir $UserPath -FileMask "*_history.txt" -FolderName "PowerShell_Console_Log_$UserName"
# PowerShell ISE - AutoSave Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles"
Collect-Artifact -SourceDir $UserPath -FileMask "*.ps1" -FolderName "PowerShell_ISE_AutoSave_Files_$UserName"
# PowerShell ISE - User Config
$UserPath = "$($_.FullName)\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "*.config" -FolderName "PowerShell_ISE_User_Config_$UserName"
# PowerShell Transcripts - Default Location
$UserPath = "$($_.FullName)\Documents"
Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Default_Location_$UserName"
# PowerShell Transcripts - Observed Location
$UserPath = "$($_.FullName)\Documents\20*"
Collect-Artifact -SourceDir $UserPath -FileMask "PowerShell_transcript.*.txt" -FolderName "PowerShell_Transcripts_Observed_Location_$UserName"
# .NET CLR UsageLogs (user-scoped)
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\CLR_*"
Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "NET_CLR_UsageLogs_user_scoped_$UserName"
# User Group Policy files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Group Policy\History"
Collect-Artifact -SourceDir $UserPath -FolderName "User_Group_Policy_files_$UserName"
# FileZilla XML Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla"
Collect-Artifact -SourceDir $UserPath -FileMask "*.xml*" -FolderName "FileZilla_XML_Log_Files_$UserName"
# FileZilla SQLite3 Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla"
Collect-Artifact -SourceDir $UserPath -FileMask "*.sqlite3*" -FolderName "FileZilla_SQLite3_Log_Files_$UserName"
# FileZilla Server XML Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla Server"
Collect-Artifact -SourceDir $UserPath -FileMask "*.xml*" -FolderName "FileZilla_Server_XML_Log_Files_$UserName"
# LNK Files from Recent
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_$UserName"
# LNK Files from Microsoft Office Recent
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Microsoft_Office_Recent_$UserName"
# Start Menu LNK Files
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Start_Menu_LNK_Files_$UserName"
# LNK Files from Recent (XP)
$UserPath = "$($_.FullName)\Recent"
Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_XP_$UserName"
# Desktop LNK Files XP
$UserPath = "$($_.FullName)\Desktop"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_XP_$UserName"
# Desktop LNK Files
$UserPath = "$($_.FullName)\Desktop"
Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_$UserName"
# HexChat Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\HexChat\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "HexChat_Chat_Logs_$UserName"
# IceChat Chat Logs
$UserPath = "$($_.FullName)\AppData\Local\IceChat Networks\IceChat\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "IceChat_Chat_Logs_$UserName"
# mIRC Chat Logs (Vista+)
$UserPath = "$($_.FullName)\AppData\Roaming\mIRC\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "mIRC_Chat_Logs_Vista_$UserName"
# mIRC Chat Logs (2000/XP)
$UserPath = "$($_.FullName)\Application Data\mIRC\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "mIRC_Chat_Logs_2000_XP_$UserName"
# Cisco Jabber Database
$UserPath = "$($_.FullName)\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db" -FolderName "Cisco_Jabber_Database_$UserName"
# Discord Cache Files
$UserPath = "$($_.FullName)\AppData\Roaming\discord\cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Discord_Cache_Files_$UserName"
# Discord Local Storage LevelDB Files
$UserPath = "$($_.FullName)\AppData\Roaming\discord\local storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Discord_Local_Storage_LevelDB_Files_$UserName"
# Mattermost - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Mattermost\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Mattermost_Chat_Logs_$UserName"
# Microsoft Teams IndexedDB Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_IndexedDB_Cache_$UserName"
# Microsoft Teams Local Storage Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Local_Storage_Cache_$UserName"
# Microsoft Teams Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Cache_$UserName"
# Microsoft Teams Config
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Teams"
Collect-Artifact -SourceDir $UserPath -FileMask "desktop-config.json" -FolderName "Microsoft_Teams_Config_$UserName"
# Microsoft Teams Logs (Windows 11)
$UserPath = "$($_.FullName)\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Teams_Logs_Windows_11_$UserName"
# Signal Attachments cache
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\attachments.noindex"
Collect-Artifact -SourceDir $UserPath -FolderName "Signal_Attachments_cache_$UserName"
# Signal Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Signal_Logs_$UserName"
# Signal config.json
$UserPath = "$($_.FullName)\AppData\Roaming\Signal"
Collect-Artifact -SourceDir $UserPath -FileMask "config.json" -FolderName "Signal_config_json_$UserName"
# Signal Database
$UserPath = "$($_.FullName)\AppData\Roaming\Signal\sql"
Collect-Artifact -SourceDir $UserPath -FileMask "db.sqlite" -FolderName "Signal_Database_$UserName"
# main.db (App <v12)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_App_v12_$UserName"
# skype.db (App +v12)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*"
Collect-Artifact -SourceDir $UserPath -FileMask "skype.db" -FolderName "skype_db_App_v12_$UserName"
# main.db XP
$UserPath = "$($_.FullName)\Application Data\Skype\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_XP_$UserName"
# main.db Win7+
$UserPath = "$($_.FullName)\AppData\Roaming\Skype\*"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "main_db_Win7_$UserName"
# s4l-[username].db (App +v8)
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState"
Collect-Artifact -SourceDir $UserPath -FileMask "s4l-*.db" -FolderName "s4l_username_db_App_v8_$UserName"
# leveldb (Skype for Desktop +v8)
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "leveldb_Skype_for_Desktop_v8_$UserName"
# Skype for Destkop v8+ Chromium Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Skype for Desktop\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Skype_for_Destkop_v8_Chromium_Cache_$UserName"
# Slack - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Chat_Logs_$UserName"
# Slack LevelDB Files
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_LevelDB_Files_$UserName"
# Slack Electron Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Electron_Logs_$UserName"
# Slack Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Cache_$UserName"
# Slack Storage
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\storage"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Storage_$UserName"
# Telegram app folder
$UserPath = "$($_.FullName)\AppData\Roaming\Telegram Desktop"
Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_app_folder_$UserName"
# Telegram downloaded files
$UserPath = "$($_.FullName)\Downloads\Telegram Desktop"
Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_downloaded_files_$UserName"
# Viber Config Database
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC"
Collect-Artifact -SourceDir $UserPath -FileMask "config.db" -FolderName "Viber_Config_Database_$UserName"
# Viber Users Data Database
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*"
Collect-Artifact -SourceDir $UserPath -FileMask "viber.db" -FolderName "Viber_Users_Data_Database_$UserName"
# Viber Users Avatars Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Avatars"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Avatars_Cache_$UserName"
# Viber Users Backgrounds Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Backgrounds"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Backgrounds_Cache_$UserName"
# Viber Users Thumbnails Cache
$UserPath = "$($_.FullName)\AppData\Roaming\ViberPC\*\Thumbnails"
Collect-Artifact -SourceDir $UserPath -FolderName "Viber_Users_Thumbnails_Cache_$UserName"
# WhatsApp Cache
$UserPath = "$($_.FullName)\AppData\Roaming\WhatsApp\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "WhatsApp_Cache_$UserName"
# WhatsApp Local Storage
$UserPath = "$($_.FullName)\AppData\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "WhatsApp_Local_Storage_$UserName"
# Microsoft Store WhatsApp Cache
$UserPath = "$($_.FullName)\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Store_WhatsApp_Cache_$UserName"
# Microsoft Store WhatsApp Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Store_WhatsApp_Local_Storage_$UserName"
# Advanced IP Scanner Aliases - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_User_Folder_$UserName"
# Advanced IP Scanner Aliases - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced IP Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Aliases.bin" -FolderName "Advanced_IP_Scanner_Aliases_User_Temp_Folder_$UserName"
# Advanced IP Scanner Comments - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_User_Folder_$UserName"
# Advanced IP Scanner Comments - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced IP Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Comments.bin" -FolderName "Advanced_IP_Scanner_Comments_User_Temp_Folder_$UserName"
# Advanced IP Scanner MAC - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_User_Folder_$UserName"
# Advanced IP Scanner MAC - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced IP Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_MAC.bin" -FolderName "Advanced_IP_Scanner_MAC_User_Temp_Folder_$UserName"
# Advanced IP Scanner Favorites - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_User_Folder_$UserName"
# Advanced IP Scanner Favorites - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced IP Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_ip_scanner_Favorites.bin" -FolderName "Advanced_IP_Scanner_Favorites_User_Temp_Folder_$UserName"
# Advanced Port Scanner Aliases - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_User_Folder_$UserName"
# Advanced Port Scanner Aliases - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced Port Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Aliases.bin" -FolderName "Advanced_Port_Scanner_Aliases_User_Temp_Folder_$UserName"
# Advanced Port Scanner Comments - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_User_Folder_$UserName"
# Advanced Port Scanner Comments - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced Port Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Comments.bin" -FolderName "Advanced_Port_Scanner_Comments_User_Temp_Folder_$UserName"
# Advanced Port Scanner MAC - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_User_Folder_$UserName"
# Advanced Port Scanner MAC - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced Port Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_MAC.bin" -FolderName "Advanced_Port_Scanner_MAC_User_Temp_Folder_$UserName"
# Advanced Port Scanner Favorites - User Folder
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_User_Folder_$UserName"
# Advanced Port Scanner Favorites - User Temp Folder
$UserPath = "$($_.FullName)\AppData\Local\Temp\Advanced Port Scanner 2"
Collect-Artifact -SourceDir $UserPath -FileMask "advanced_port_scanner_Favorites.bin" -FolderName "Advanced_Port_Scanner_Favorites_User_Temp_Folder_$UserName"
# NTUSER.DAT registry hive XP
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_XP_$UserName"
# NTUSER.DAT registry hive
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_$UserName"
# NTUSER.DAT registry transaction files
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT.LOG*" -FolderName "NTUSER_DAT_registry_transaction_files_$UserName"
# UsrClass.dat registry hive
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat*" -FolderName "UsrClass_dat_registry_hive_$UserName"
# UsrClass.dat registry transaction files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat.LOG*" -FolderName "UsrClass_dat_registry_transaction_files_$UserName"
# Registry.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive_$UserName"
# settings.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\Settings"
Collect-Artifact -SourceDir $UserPath -FileMask "settings.dat*" -FolderName "settings_dat_MSIX_Hive_$UserName"
# User.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "User.dat*" -FolderName "User_dat_MSIX_Hive_$UserName"
# UserClasses.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "UserClasses.dat*" -FolderName "UserClasses_dat_MSIX_Hive_$UserName"
# AnyDesk Logs - User Profile - *.trace
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.trace" -FolderName "AnyDesk_Logs_User_Profile_trace_$UserName"
# AnyDesk Logs - User Profile - *.conf
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "AnyDesk_Logs_User_Profile_conf_$UserName"
# AnyDesk Videos
$UserPath = "$($_.FullName)\Videos\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.anydesk" -FolderName "AnyDesk_Videos_$UserName"
# AnyDesk Logs - User Profile - connection_trace.txt
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_User_Profile_connection_trace_txt_$UserName"
# AnyDesk Chat Logs - User Profile
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk\chat"
Collect-Artifact -SourceDir $UserPath -FileMask "*.txt" -FolderName "AnyDesk_Chat_Logs_User_Profile_$UserName"
# AnyDesk File Transfer Logs - Running in portable mode
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Running_in_portable_mode_$UserName"
# ISLOnline Logs - Sessions - *.out
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*"
Collect-Artifact -SourceDir $UserPath -FileMask "ISLClient.out" -FolderName "ISLOnline_Logs_Sessions_out_$UserName"
# ISLOnline Logs - Session Configurations
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*\conf"
Collect-Artifact -SourceDir $UserPath -FileMask "*" -FolderName "ISLOnline_Logs_Session_Configurations_$UserName"
# ISL Light Logs - Sessions
$UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light\*"
Collect-Artifact -SourceDir $UserPath -FileMask "trace.out" -FolderName "ISL_Light_Logs_Sessions_$UserName"
# Kaseya Live Connect Logs (XP)
$UserPath = "$($_.FullName)\Application Data\Kaseya\Log"
Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_XP_$UserName"
# Kaseya Live Connect Logs
$UserPath = "$($_.FullName)\AppData\Local\Kaseya\Log\KaseyaLiveConnect"
Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_$UserName"
# Kaseya Setup Log
$UserPath = "$($_.FullName)\AppData\Local\Temp"
Collect-Artifact -SourceDir $UserPath -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log_$UserName"
# LogMeIn Application Logs
$UserPath = "$($_.FullName)\AppData\Local\temp\LogMeInLogs"
Collect-Artifact -SourceDir $UserPath -FolderName "LogMeIn_Application_Logs_$UserName"
# mRemoteNG Logs
$UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "mRemoteNG.log" -FolderName "mRemoteNG_Logs_$UserName"
# mRemoteNG Connection Configuration and Backups
$UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "confCons.xml*" -FolderName "mRemoteNG_Connection_Configuration_and_Backups_$UserName"
# mRemoteNG Program Settings
$UserPath = "$($_.FullName)\AppData\*\mRemoteNG"
Collect-Artifact -SourceDir $UserPath -FileMask "user.config" -FolderName "mRemoteNG_Program_Settings_$UserName"
# Net Monitor Server Logs
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FolderName "Net_Monitor_Server_Logs_$UserName"
# Microsoft Quick Assist
$UserPath = "$($_.FullName)\AppData\Local\Temp\QuickAssist"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Quick_Assist_$UserName"
# Microsoft Remote Help
$UserPath = "$($_.FullName)\AppData\Local\Temp\RemoteHelp"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Remote_Help_$UserName"
# Radmin Viewer Chats
$UserPath = "$($_.FullName)\Documents\ChatLogs\*"
Collect-Artifact -SourceDir $UserPath -FileMask "*.htm" -FolderName "Radmin_Viewer_Chats_$UserName"
# RDP Cache Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
# Windows.old RDP Cache Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_old_RDP_Cache_Files_$UserName"
# RDP Cache Files
$UserPath = "$($_.FullName)\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
# RustDesk logs
$UserPath = "$($_.FullName)\AppData\Roaming\RustDesk"
Collect-Artifact -SourceDir $UserPath -FolderName "RustDesk_logs_$UserName"
# TeamViewer Application User Logs
$UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer"
Collect-Artifact -SourceDir $UserPath -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_User_Logs_$UserName"
# TeamViewer Configuration Files
$UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer\MRU\RemoteSupport"
Collect-Artifact -SourceDir $UserPath -FolderName "TeamViewer_Configuration_Files_$UserName"
# Unified endpoint management and security solutions from ManageEngine
$UserPath = "$($_.FullName)\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs"
Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine_$UserName"
# UltraViewer User Logs
$UserPath = "$($_.FullName)\AppData\Roaming\UltraViewer"
Collect-Artifact -SourceDir $UserPath -FolderName "UltraViewer_User_Logs_$UserName"
# RealVNC Log
$UserPath = "$($_.FullName)\AppData\Local\RealVNC"
Collect-Artifact -SourceDir $UserPath -FileMask "vncserver.log" -FolderName "RealVNC_Log_$UserName"
# Zoho Assist log files in AppData\Local
$UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting\log"
Collect-Artifact -SourceDir $UserPath -FolderName "Zoho_Assist_log_files_in_AppData_Local_$UserName"
# Zoho Assist .conf files in AppData\Local
$UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting"
Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_AppData_Local_$UserName"
# PowerShell Scheduled_Jobs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs"
Collect-Artifact -SourceDir $UserPath -FolderName "PowerShell_Scheduled_Jobs_$UserName"
# PowerShell Scheduled_Jobs Output
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*"
Collect-Artifact -SourceDir $UserPath -FolderName "PowerShell_Scheduled_Jobs_Output_$UserName"
# WER Files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\WER"
Collect-Artifact -SourceDir $UserPath -FolderName "WER_Files_$UserName"
# Crash Dumps
$UserPath = "$($_.FullName)\AppData\Local\CrashDumps"
Collect-Artifact -SourceDir $UserPath -FileMask "*.dmp" -FolderName "Crash_Dumps_$UserName"
# Thumbcache DB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\Explorer"
Collect-Artifact -SourceDir $UserPath -FileMask "thumbcache_*.db" -FolderName "Thumbcache_DB_$UserName"
# 360 Secure Browser Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "360Bookmarks*" -FolderName "360_Secure_Browser_Bookmarks_$UserName"
# 360 Secure Browser Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "360_Secure_Browser_Cookies_$UserName"
# 360 Secure Browser Current Session
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "360_Secure_Browser_Current_Session_$UserName"
# 360 Secure Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "360_Secure_Browser_Current_Tabs_$UserName"
# 360 Secure Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "360_Secure_Browser_Download_Metadata_$UserName"
# 360 Secure Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "360_Secure_Browser_Extension_Cookies_$UserName"
# 360 Secure Browser Favicons
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "360_Secure_Browser_Favicons_$UserName"
# 360 Secure Browser History
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "360History*" -FolderName "360_Secure_Browser_History_$UserName"
# 360 Secure Browser Last Session
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "360_Secure_Browser_Last_Session_$UserName"
# 360 Secure Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "360_Secure_Browser_Last_Tabs_$UserName"
# 360 Secure Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_Sessions_Folder_$UserName"
# 360 Secure Browser Login Data
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "360_Secure_Browser_Login_Data_$UserName"
# 360 Secure Browser Media History
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "360_Secure_Browser_Media_History_$UserName"
# 360 Secure Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "360_Secure_Browser_Network_Action_Predictor_$UserName"
# 360 Secure Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "360_Secure_Browser_Network_Persistent_State_$UserName"
# 360 Secure Browser Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "360_Secure_Browser_Preferences_$UserName"
# 360 Secure Browser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "360_Secure_Browser_Secure_Preferences_$UserName"
# 360 Secure Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "360_Secure_Browser_Quota_Manager_$UserName"
# 360 Secure Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "360_Secure_Browser_Reporting_and_NEL_$UserName"
# 360 Secure Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "360_Secure_Browser_Shortcuts_$UserName"
# 360 Secure Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "360_Secure_Browser_Top_Sites_$UserName"
# 360 Secure Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "360_Secure_Browser_Trust_Tokens_$UserName"
# 360 Secure Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_SyncData_Database_$UserName"
# 360 Secure Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "360_Secure_Browser_Visited_Links_$UserName"
# 360 Secure Browser Web Data
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "360_Secure_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# 360 Secure Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Roaming\360se6\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "360_Secure_Browser_Snapshots_Folder_$UserName"
# Arc Cookies
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Arc_Cookies_$UserName"
# Arc Favicons
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Arc_Favicons_$UserName"
# Arc History
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Arc_History_$UserName"
# Arc Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Arc_Sessions_Folder_$UserName"
# Arc Login Data
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Arc_Login_Data_$UserName"
# Arc Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Arc_Network_Action_Predictor_$UserName"
# Arc Preferences
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Arc_Preferences_$UserName"
# Arc Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Arc_Secure_Preferences_$UserName"
# Arc Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Arc_Shortcuts_$UserName"
# Arc Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Arc_Top_Sites_$UserName"
# Arc SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Arc_SyncData_Database_$UserName"
# Arc Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Arc_Bookmarks_$UserName"
# Arc Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Arc_Visited_Links_$UserName"
# Arc Web Data
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Arc_Web_Data_$UserName"
# Arc JSON Files
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local\Arc"
Collect-Artifact -SourceDir $UserPath -FileMask "Storable*.json" -FolderName "Arc_JSON_Files_$UserName"
# Arc PLIST Files
$UserPath = "$($_.FullName)\AppData\Local\Packages\TheBrowserCompany.Arc_ttt1ap7aakyb4\LocalCache\Local"
Collect-Artifact -SourceDir $UserPath -FileMask "com*.plist" -FolderName "Arc_PLIST_Files_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Bookmarks_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Cookies_$UserName"
# Current Session
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Current_Session_$UserName"
# Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Current_Tabs_$UserName"
# Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Download_Metadata_$UserName"
# Favicons
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Favicons_$UserName"
# History
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "History_$UserName"
# Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Sessions_Folder_$UserName"
# Login Data
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Login_Data_$UserName"
# Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Network_Action_Predictor_$UserName"
# Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Network_Persistent_State_$UserName"
# Preferences
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Preferences_$UserName"
# Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Quota_Manager_$UserName"
# Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Reporting_and_NEL_$UserName"
# Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Shortcuts_$UserName"
# Publisher Info DB/Brave Rewards
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "publisher_info_db*" -FolderName "Publisher_Info_DB_Brave_Rewards_$UserName"
# Top Sites
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Top_Sites_$UserName"
# Visited Links
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links*" -FolderName "Visited_Links_$UserName"
# Web Data
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Web_Data_$UserName"
# Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences*" -FolderName "Secure_Preferences_$UserName"
# Chrome Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_XP_$UserName"
# Chrome Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_XP_$UserName"
# Chrome Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_XP_$UserName"
# Chrome Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_XP_$UserName"
# Chrome Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_XP_$UserName"
# Chrome History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_XP_$UserName"
# Chrome Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_XP_$UserName"
# Chrome Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_XP_$UserName"
# Chrome Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Login_Data_XP_$UserName"
# Chrome Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_XP_$UserName"
# Chrome Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_XP_$UserName"
# Chrome Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_XP_$UserName"
# Chrome Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_XP_$UserName"
# Chrome Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_XP_$UserName"
# Chrome Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_$UserName"
# Chrome Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_$UserName"
# Chrome Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_$UserName"
# Chrome Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_$UserName"
# Chrome Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Download_Metadata_$UserName"
# Chrome Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Extension_Cookies_$UserName"
# Chrome Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_$UserName"
# Chrome History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_$UserName"
# Chrome Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_$UserName"
# Chrome Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_$UserName"
# Chrome Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Sessions_Folder_$UserName"
# Chrome Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Login_Data_$UserName"
# Chrome Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Media_History_$UserName"
# Chrome Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Network_Action_Predictor_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_$UserName"
# Chrome Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SyncData_Database_$UserName"
# Chrome Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_$UserName"
# Chrome Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_$UserName"
# Chrome IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_IndexedDB_$UserName"
# Chrome Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Snapshots_Folder_$UserName"
# Chrome Beta Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_XP_$UserName"
# Chrome Beta Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_XP_$UserName"
# Chrome Beta Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_XP_$UserName"
# Chrome Beta Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_XP_$UserName"
# Chrome Beta Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_XP_$UserName"
# Chrome Beta History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_XP_$UserName"
# Chrome Beta Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_XP_$UserName"
# Chrome Beta Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_XP_$UserName"
# Chrome Beta Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Beta_Login_Data_XP_$UserName"
# Chrome Beta Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_XP_$UserName"
# Chrome Beta Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_XP_$UserName"
# Chrome Beta Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_XP_$UserName"
# Chrome Beta Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_XP_$UserName"
# Chrome Beta Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_XP_$UserName"
# Chrome Beta Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_$UserName"
# Chrome Beta Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_$UserName"
# Chrome Beta Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_$UserName"
# Chrome Beta Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_$UserName"
# Chrome Beta Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Beta_Download_Metadata_$UserName"
# Chrome Beta Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Beta_Extension_Cookies_$UserName"
# Chrome Beta Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_$UserName"
# Chrome Beta History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_$UserName"
# Chrome Beta Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_$UserName"
# Chrome Beta Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_$UserName"
# Chrome Beta Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Sessions_Folder_$UserName"
# Chrome Beta Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Beta_Login_Data_$UserName"
# Chrome Beta Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Beta_Media_History_$UserName"
# Chrome Beta Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Beta_Network_Action_Predictor_$UserName"
# Chrome Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
# Chrome Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
# Chrome Beta Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_$UserName"
# Chrome Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
# Chrome Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
# Chrome Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
# Chrome Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
# Chrome Beta Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_$UserName"
# Chrome Beta Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_$UserName"
# Chrome Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
# Chrome Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
# Chrome Beta SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Beta_SyncData_Database_$UserName"
# Chrome Beta Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_$UserName"
# Chrome Beta Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_$UserName"
# Chrome Beta IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_IndexedDB_$UserName"
# Chrome Beta Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Beta Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Snapshots_Folder_$UserName"
# Chrome Dev Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_XP_$UserName"
# Chrome Dev Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_XP_$UserName"
# Chrome Dev Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_XP_$UserName"
# Chrome Dev Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_XP_$UserName"
# Chrome Dev Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_XP_$UserName"
# Chrome Dev History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_XP_$UserName"
# Chrome Dev Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_XP_$UserName"
# Chrome Dev Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_XP_$UserName"
# Chrome Dev Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Dev_Login_Data_XP_$UserName"
# Chrome Dev Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_XP_$UserName"
# Chrome Dev Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_XP_$UserName"
# Chrome Dev Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_XP_$UserName"
# Chrome Dev Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_XP_$UserName"
# Chrome Dev Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_XP_$UserName"
# Chrome Dev Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_$UserName"
# Chrome Dev Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_$UserName"
# Chrome Dev Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_$UserName"
# Chrome Dev Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_$UserName"
# Chrome Dev Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Dev_Download_Metadata_$UserName"
# Chrome Dev Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Dev_Extension_Cookies_$UserName"
# Chrome Dev Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_$UserName"
# Chrome Dev History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_$UserName"
# Chrome Dev Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_$UserName"
# Chrome Dev Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_$UserName"
# Chrome Dev Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Sessions_Folder_$UserName"
# Chrome Dev Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Dev_Login_Data_$UserName"
# Chrome Dev Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Dev_Media_History_$UserName"
# Chrome Dev Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Dev_Network_Action_Predictor_$UserName"
# Chrome Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
# Chrome Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
# Chrome Dev Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_$UserName"
# Chrome Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
# Chrome Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
# Chrome Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
# Chrome Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
# Chrome Dev Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_$UserName"
# Chrome Dev Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_$UserName"
# Chrome Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
# Chrome Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
# Chrome Dev SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Dev_SyncData_Database_$UserName"
# Chrome Dev Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_$UserName"
# Chrome Dev Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_$UserName"
# Chrome Dev IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_IndexedDB_$UserName"
# Chrome Dev Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Dev Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Snapshots_Folder_$UserName"
# Chrome SxS Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_XP_$UserName"
# Chrome SxS Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_XP_$UserName"
# Chrome SxS Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_XP_$UserName"
# Chrome SxS Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_XP_$UserName"
# Chrome SxS Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_XP_$UserName"
# Chrome SxS History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_XP_$UserName"
# Chrome SxS Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_XP_$UserName"
# Chrome SxS Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_XP_$UserName"
# Chrome SxS Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_SxS_Login_Data_XP_$UserName"
# Chrome SxS Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_XP_$UserName"
# Chrome SxS Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_XP_$UserName"
# Chrome SxS Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_XP_$UserName"
# Chrome SxS Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_XP_$UserName"
# Chrome SxS Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_XP_$UserName"
# Chrome SxS Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_$UserName"
# Chrome SxS Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_$UserName"
# Chrome SxS Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_$UserName"
# Chrome SxS Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_$UserName"
# Chrome SxS Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_SxS_Download_Metadata_$UserName"
# Chrome SxS Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_SxS_Extension_Cookies_$UserName"
# Chrome SxS Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_$UserName"
# Chrome SxS History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_$UserName"
# Chrome SxS Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_$UserName"
# Chrome SxS Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_$UserName"
# Chrome SxS Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Sessions_Folder_$UserName"
# Chrome SxS Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_SxS_Login_Data_$UserName"
# Chrome SxS Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_SxS_Media_History_$UserName"
# Chrome SxS Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_SxS_Network_Action_Predictor_$UserName"
# Chrome SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
# Chrome SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
# Chrome SxS Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_$UserName"
# Chrome SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
# Chrome SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
# Chrome SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
# Chrome SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
# Chrome SxS Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_$UserName"
# Chrome SxS Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_$UserName"
# Chrome SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
# Chrome SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
# Chrome SxS SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SxS_SyncData_Database_$UserName"
# Chrome SxS Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_$UserName"
# Chrome SxS Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_$UserName"
# Chrome SxS IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_IndexedDB_$UserName"
# Chrome SxS Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome SxS Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Snapshots_Folder_$UserName"
# Chromium Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_XP_$UserName"
# Chromium Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_XP_$UserName"
# Chromium Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_XP_$UserName"
# Chromium Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_XP_$UserName"
# Chromium Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_XP_$UserName"
# Chromium History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_XP_$UserName"
# Chromium Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_XP_$UserName"
# Chromium Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_XP_$UserName"
# Chromium Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chromium_Login_Data_XP_$UserName"
# Chromium Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_XP_$UserName"
# Chromium Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_XP_$UserName"
# Chromium Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_XP_$UserName"
# Chromium Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_XP_$UserName"
# Chromium Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_XP_$UserName"
# Chromium Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_$UserName"
# Chromium Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_$UserName"
# Chromium Current Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_$UserName"
# Chromium Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_$UserName"
# Chromium Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chromium_Download_Metadata_$UserName"
# Chromium Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chromium_Extension_Cookies_$UserName"
# Chromium Favicons
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_$UserName"
# Chromium History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_$UserName"
# Chromium Last Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_$UserName"
# Chromium Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_$UserName"
# Chromium Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Sessions_Folder_$UserName"
# Chromium Login Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chromium_Login_Data_$UserName"
# Chromium Media History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chromium_Media_History_$UserName"
# Chromium Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chromium_Network_Action_Predictor_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_$UserName"
# Chromium Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Chromium_Secure_Preferences_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_$UserName"
# Chromium Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chromium_SyncData_Database_$UserName"
# Chromium Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_$UserName"
# Chromium Web Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_$UserName"
# Chromium IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_IndexedDB_$UserName"
# Chromium Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chromium Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Snapshots_Folder_$UserName"
# CocCoc Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "CocCoc_Bookmarks_$UserName"
# CocCoc Cookies
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "CocCoc_Cookies_$UserName"
# CocCoc Current Session
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "CocCoc_Current_Session_$UserName"
# CocCoc Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "CocCoc_Current_Tabs_$UserName"
# CocCoc Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "CocCoc_Download_Metadata_$UserName"
# CocCoc Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "CocCoc_Extension_Cookies_$UserName"
# CocCoc Favicons
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "CocCoc_Favicons_$UserName"
# CocCoc History
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "CocCoc_History_$UserName"
# CocCoc Last Session
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "CocCoc_Last_Session_$UserName"
# CocCoc Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "CocCoc_Last_Tabs_$UserName"
# CocCoc Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_Sessions_Folder_$UserName"
# CocCoc Login Data
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "CocCoc_Login_Data_$UserName"
# CocCoc Media History
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "CocCoc_Media_History_$UserName"
# CocCoc Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "CocCoc_Network_Action_Predictor_$UserName"
# CocCoc Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "CocCoc_Network_Persistent_State_$UserName"
# CocCoc Preferences
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "CocCoc_Preferences_$UserName"
# CocCoc Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "CocCoc_Quota_Manager_$UserName"
# CocCoc Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "CocCoc_Reporting_and_NEL_$UserName"
# CocCoc Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "CocCoc_Shortcuts_$UserName"
# CocCoc Top Sites
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "CocCoc_Top_Sites_$UserName"
# CocCoc Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "CocCoc_Trust_Tokens_$UserName"
# CocCoc SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_SyncData_Database_$UserName"
# CocCoc Visited Links
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "CocCoc_Visited_Links_$UserName"
# CocCoc Web Data
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "CocCoc_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# CocCoc Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\CocCoc\Browser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "CocCoc_Snapshots_Folder_$UserName"
# Edge folder
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_folder_$UserName"
# Edge Beta Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Beta_Collections_$UserName"
# Edge Beta Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Beta_Bookmarks_$UserName"
# Edge Beta Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Beta_Cookies_$UserName"
# Edge Beta Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Beta_Current_Session_$UserName"
# Edge Beta Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Beta_Current_Tabs_$UserName"
# Edge Beta Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Beta_Extension_Cookies_$UserName"
# Edge Beta Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Beta_Favicons_$UserName"
# Edge Beta History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_Beta_History_$UserName"
# Edge Beta Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Beta_Last_Session_$UserName"
# Edge Beta Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Beta_Last_Tabs_$UserName"
# Edge Beta Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Sessions_Folder_$UserName"
# Edge Beta Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Beta_Login_Data_$UserName"
# Edge Beta Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Beta_Media_History_$UserName"
# Edge Beta Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Beta_Network_Action_Predictor_$UserName"
# Edge Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Beta_Network_Persistent_State_$UserName"
# Edge Beta Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Beta_Network_Persistent_State_$UserName"
# Edge Beta Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Beta_Preferences_$UserName"
# Edge Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Beta_Quota_Manager_$UserName"
# Edge Beta Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Beta_Quota_Manager_$UserName"
# Edge Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Beta_Reporting_and_NEL_$UserName"
# Edge Beta Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Beta_Reporting_and_NEL_$UserName"
# Edge Beta Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Beta_Shortcuts_$UserName"
# Edge Beta Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Beta_Top_Sites_$UserName"
# Edge Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Beta_Trust_Tokens_$UserName"
# Edge Beta Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Beta_Trust_Tokens_$UserName"
# Edge Beta SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_Beta_SyncData_Database_$UserName"
# Edge Beta Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Beta_Visited_Links_$UserName"
# Edge Beta Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Beta_Web_Data_$UserName"
# Edge Beta IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_IndexedDB_$UserName"
# Edge Beta Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Local_Storage_$UserName"
# Edge Beta WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_Beta_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Beta Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Beta\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Beta_Snapshots_Folder_$UserName"
# Edge Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Collections_$UserName"
# Edge Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Bookmarks_$UserName"
# Edge Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Cookies_$UserName"
# Edge Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Current_Session_$UserName"
# Edge Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Current_Tabs_$UserName"
# Edge Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Extension_Cookies_$UserName"
# Edge Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Favicons_$UserName"
# Edge History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_History_$UserName"
# Edge Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Last_Session_$UserName"
# Edge Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Last_Tabs_$UserName"
# Edge Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Sessions_Folder_$UserName"
# Edge Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Login_Data_$UserName"
# Edge Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Media_History_$UserName"
# Edge Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Network_Action_Predictor_$UserName"
# Edge Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Network_Persistent_State_$UserName"
# Edge Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Network_Persistent_State_$UserName"
# Edge Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Preferences_$UserName"
# Edge Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Edge_Secure_Preferences_$UserName"
# Edge Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Quota_Manager_$UserName"
# Edge Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Quota_Manager_$UserName"
# Edge Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Reporting_and_NEL_$UserName"
# Edge Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Reporting_and_NEL_$UserName"
# Edge Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Shortcuts_$UserName"
# Edge Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Top_Sites_$UserName"
# Edge Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Trust_Tokens_$UserName"
# Edge Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Trust_Tokens_$UserName"
# Edge SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_SyncData_Database_$UserName"
# Edge Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Visited_Links_$UserName"
# Edge Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Web_Data_$UserName"
# Edge IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_IndexedDB_$UserName"
# Edge Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Local_Storage_$UserName"
# Edge WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Snapshots_Folder_$UserName"
# Edge Dev Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_Dev_Collections_$UserName"
# Edge Dev Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Dev_Bookmarks_$UserName"
# Edge Dev Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Dev_Cookies_$UserName"
# Edge Dev Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Dev_Current_Session_$UserName"
# Edge Dev Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Dev_Current_Tabs_$UserName"
# Edge Dev Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_Dev_Extension_Cookies_$UserName"
# Edge Dev Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Dev_Favicons_$UserName"
# Edge Dev History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_Dev_History_$UserName"
# Edge Dev Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Dev_Last_Session_$UserName"
# Edge Dev Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Dev_Last_Tabs_$UserName"
# Edge Dev Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Sessions_Folder_$UserName"
# Edge Dev Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_Dev_Login_Data_$UserName"
# Edge Dev Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Dev_Media_History_$UserName"
# Edge Dev Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_Dev_Network_Action_Predictor_$UserName"
# Edge Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Dev_Network_Persistent_State_$UserName"
# Edge Dev Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_Dev_Network_Persistent_State_$UserName"
# Edge Dev Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Dev_Preferences_$UserName"
# Edge Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Dev_Quota_Manager_$UserName"
# Edge Dev Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_Dev_Quota_Manager_$UserName"
# Edge Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Dev_Reporting_and_NEL_$UserName"
# Edge Dev Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_Dev_Reporting_and_NEL_$UserName"
# Edge Dev Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Dev_Shortcuts_$UserName"
# Edge Dev Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Dev_Top_Sites_$UserName"
# Edge Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Dev_Trust_Tokens_$UserName"
# Edge Dev Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_Dev_Trust_Tokens_$UserName"
# Edge Dev SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_Dev_SyncData_Database_$UserName"
# Edge Dev Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Dev_Visited_Links_$UserName"
# Edge Dev Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Dev_Web_Data_$UserName"
# Edge Dev IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_IndexedDB_$UserName"
# Edge Dev Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Local_Storage_$UserName"
# Edge Dev WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_Dev_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge Dev Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge Dev\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_Dev_Snapshots_Folder_$UserName"
# Edge SxS Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite*" -FolderName "Edge_SxS_Collections_$UserName"
# Edge SxS Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_SxS_Bookmarks_$UserName"
# Edge SxS Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_SxS_Cookies_$UserName"
# Edge SxS Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_SxS_Current_Session_$UserName"
# Edge SxS Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_SxS_Current_Tabs_$UserName"
# Edge SxS Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Edge_SxS_Extension_Cookies_$UserName"
# Edge SxS Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_SxS_Favicons_$UserName"
# Edge SxS History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_SxS_History_$UserName"
# Edge SxS Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_SxS_Last_Session_$UserName"
# Edge SxS Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_SxS_Last_Tabs_$UserName"
# Edge SxS Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Sessions_Folder_$UserName"
# Edge SxS Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Edge_SxS_Login_Data_$UserName"
# Edge SxS Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_SxS_Media_History_$UserName"
# Edge SxS Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Edge_SxS_Network_Action_Predictor_$UserName"
# Edge SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_SxS_Network_Persistent_State_$UserName"
# Edge SxS Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Edge_SxS_Network_Persistent_State_$UserName"
# Edge SxS Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_SxS_Preferences_$UserName"
# Edge SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_SxS_Quota_Manager_$UserName"
# Edge SxS Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Edge_SxS_Quota_Manager_$UserName"
# Edge SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_SxS_Reporting_and_NEL_$UserName"
# Edge SxS Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Edge_SxS_Reporting_and_NEL_$UserName"
# Edge SxS Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_SxS_Shortcuts_$UserName"
# Edge SxS Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_SxS_Top_Sites_$UserName"
# Edge SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_SxS_Trust_Tokens_$UserName"
# Edge SxS Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Edge_SxS_Trust_Tokens_$UserName"
# Edge SxS SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_SxS_SyncData_Database_$UserName"
# Edge SxS Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_SxS_Visited_Links_$UserName"
# Edge SxS Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_SxS_Web_Data_$UserName"
# Edge SxS IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_IndexedDB_$UserName"
# Edge SxS Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Local_Storage_$UserName"
# Edge SxS WebAssistDatabase
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "WebAssistDatabase*" -FolderName "Edge_SxS_WebAssistDatabase_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Edge SxS Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge SxS\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Edge_SxS_Snapshots_Folder_$UserName"
# Addons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave"
Collect-Artifact -SourceDir $UserPath -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups"
Collect-Artifact -SourceDir $UserPath -FolderName "Bookmarks_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies_$UserName"
# Downloads
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_$UserName"
# Extensions
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "extensions.json" -FolderName "Extensions_$UserName"
# Favicons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_$UserName"
# Form history
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_$UserName"
# Permissions
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "permissions.sqlite*" -FolderName "Permissions_$UserName"
# Places
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_$UserName"
# Protections
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "protections.sqlite*" -FolderName "Protections_$UserName"
# Search
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_$UserName"
# Signons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_$UserName"
# Storage Sync
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync_$UserName"
# Webappstore
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_$UserName"
# Password
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_$UserName"
# Preferences
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "prefs.js" -FolderName "Preferences_$UserName"
# Sessionstore
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_$UserName"
# Sessionstore Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups"
Collect-Artifact -SourceDir $UserPath -FolderName "Sessionstore_Folder_$UserName"
# Places XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_XP_$UserName"
# Downloads XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_XP_$UserName"
# Form history XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_XP_$UserName"
# Cookies XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_XP_$UserName"
# Signons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_XP_$UserName"
# Webappstore XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_XP_$UserName"
# Favicons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_XP_$UserName"
# Addons XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_XP_$UserName"
# Search XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_XP_$UserName"
# Password XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_XP_$UserName"
# Sessionstore XP
$UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_XP_$UserName"
# Index.dat History
$UserPath = "$($_.FullName)\Local Settings\History\History.IE5"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_History_$UserName"
# Index.dat History subdirectory
$UserPath = "$($_.FullName)\Local Settings\History\History.IE5\*"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_History_subdirectory_$UserName"
# Index.dat cookies
$UserPath = "$($_.FullName)\Cookies"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_cookies_$UserName"
# Index.dat UserData
$UserPath = "$($_.FullName)\Application Data\Microsoft\Internet Explorer\UserData"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_UserData_$UserName"
# Index.dat Office XP
$UserPath = "$($_.FullName)\Application Data\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_Office_XP_$UserName"
# Index.dat Office
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Office\Recent"
Collect-Artifact -SourceDir $UserPath -FileMask "index.dat" -FolderName "Index_dat_Office_$UserName"
# Local Internet Explorer folder
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Internet Explorer"
Collect-Artifact -SourceDir $UserPath -FolderName "Local_Internet_Explorer_folder_$UserName"
# Roaming Internet Explorer folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Internet Explorer"
Collect-Artifact -SourceDir $UserPath -FolderName "Roaming_Internet_Explorer_folder_$UserName"
# IE 9/10 History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\History"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_History_$UserName"
# IE 9/10 Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\Cookies"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_Cookies_$UserName"
# IE 9/10 Download History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\IEDownloadHistory"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_9_10_Download_History_$UserName"
# IE 11 Metadata
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\WebCache"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_11_Metadata_$UserName"
# IE 11 Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\INetCookies"
Collect-Artifact -SourceDir $UserPath -FolderName "IE_11_Cookies_$UserName"
# Opera - Local Folder
$UserPath = "$($_.FullName)\AppData\Local\Opera Software\Opera Stable"
Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Local_Folder_$UserName"
# Opera - Roaming Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Opera Software\Opera Stable"
Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Roaming_Folder_$UserName"
# Prisma Access Browser bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_XP_$UserName"
# Prisma Access Browser Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_XP_$UserName"
# Prisma Access Browser Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_XP_$UserName"
# Prisma Access Browser Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_XP_$UserName"
# Prisma Access Browser Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_XP_$UserName"
# Prisma Access Browser History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_XP_$UserName"
# Prisma Access Browser Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_XP_$UserName"
# Prisma Access Browser Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_XP_$UserName"
# Prisma Access Browser Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_XP_$UserName"
# Prisma Access Browser Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_XP_$UserName"
# Prisma Access Browser Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_XP_$UserName"
# Prisma Access Browser Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_XP_$UserName"
# Prisma Access Browser Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_XP_$UserName"
# Prisma Access Browser Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_XP_$UserName"
# Prisma Access Browser bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Prisma_Access_Browser_bookmarks_$UserName"
# Prisma Access Browser Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Prisma_Access_Browser_Cookies_$UserName"
# Prisma Access Browser Current Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Prisma_Access_Browser_Current_Session_$UserName"
# Prisma Access Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Prisma_Access_Browser_Current_Tabs_$UserName"
# Prisma Access Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Prisma_Access_Browser_Download_Metadata_$UserName"
# Prisma Access Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Prisma_Access_Browser_Extension_Cookies_$UserName"
# Prisma Access Browser Favicons
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Prisma_Access_Browser_Favicons_$UserName"
# Prisma Access Browser History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Prisma_Access_Browser_History_$UserName"
# Prisma Access Browser Last Session
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Prisma_Access_Browser_Last_Session_$UserName"
# Prisma Access Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Prisma_Access_Browser_Last_Tabs_$UserName"
# Prisma Access Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Sessions_Folder_$UserName"
# Prisma Access Browser Login Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Prisma_Access_Browser_Login_Data_$UserName"
# Prisma Access Browser Media History
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Prisma_Access_Browser_Media_History_$UserName"
# Prisma Access Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Prisma_Access_Browser_Network_Action_Predictor_$UserName"
# Prisma Access Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Prisma_Access_Browser_Network_Persistent_State_$UserName"
# Prisma Access Browser Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Prisma_Access_Browser_Preferences_$UserName"
# Prisma Access Browser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Prisma_Access_Browser_Secure_Preferences_$UserName"
# Prisma Access Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Prisma_Access_Browser_Quota_Manager_$UserName"
# Prisma Access Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Prisma_Access_Browser_Reporting_and_NEL_$UserName"
# Prisma Access Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Prisma_Access_Browser_Shortcuts_$UserName"
# Prisma Access Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Prisma_Access_Browser_Top_Sites_$UserName"
# Prisma Access Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Prisma_Access_Browser_Trust_Tokens_$UserName"
# Prisma Access Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Prisma_Access_Browser_SyncData_Database_$UserName"
# Prisma Access Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Prisma_Access_Browser_Visited_Links_$UserName"
# Prisma Access Browser Web Data
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Prisma_Access_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Prisma Access Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_Snapshots_Folder_$UserName"
# Prisma Access Browser User Data Backup Folder
$UserPath = "$($_.FullName)\AppData\Local\Palo Alto Networks\PrismaAccessBrowser\User Data Backup"
Collect-Artifact -SourceDir $UserPath -FolderName "Prisma_Access_Browser_User_Data_Backup_Folder_$UserName"
# Puffin - data.db
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "data.db" -FolderName "Puffin_data_db_$UserName"
# Puffin - Autocomplete Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "autocompletes.dat" -FolderName "Puffin_Autocomplete_Data_$UserName"
# Puffin - Password Forms Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "passwordForms.dat" -FolderName "Puffin_Password_Forms_Data_$UserName"
# Puffin - Password (Encrypted)
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "credential.dat" -FolderName "Puffin_Password_Encrypted_$UserName"
# Puffin - Subscription Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "subscription" -FolderName "Puffin_Subscription_Data_$UserName"
# Puffin - Cookies
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.dat" -FolderName "Puffin_Cookies_$UserName"
# Puffin - Image Cache
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser\image_cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Puffin_Image_Cache_$UserName"
# QQ Browser Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "QQ_Browser_Bookmarks_$UserName"
# QQ Browser Cookies
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "QQ_Browser_Cookies_$UserName"
# QQ Browser Current Session
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "QQ_Browser_Current_Session_$UserName"
# QQ Browser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "QQ_Browser_Current_Tabs_$UserName"
# QQ Browser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "QQ_Browser_Download_Metadata_$UserName"
# QQ Browser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "QQ_Browser_Extension_Cookies_$UserName"
# QQ Browser Favicons
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "QQ_Browser_Favicons_$UserName"
# QQ Browser History
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "QQ_Browser_History_$UserName"
# QQ Browser Last Session
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "QQ_Browser_Last_Session_$UserName"
# QQ Browser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "QQ_Browser_Last_Tabs_$UserName"
# QQ Browser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_Sessions_Folder_$UserName"
# QQ Browser Login Data
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "QQ_Browser_Login_Data_$UserName"
# QQ Browser Media History
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "QQ_Browser_Media_History_$UserName"
# QQ Browser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "QQ_Browser_Network_Action_Predictor_$UserName"
# QQ Browser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "QQ_Browser_Network_Persistent_State_$UserName"
# QQ Browser Preferences
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "QQ_Browser_Preferences_$UserName"
# QQ Browser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "QQ_Browser_Quota_Manager_$UserName"
# QQ Browser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "QQ_Browser_Reporting_and_NEL_$UserName"
# QQ Browser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "QQ_Browser_Shortcuts_$UserName"
# QQ Browser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "QQ_Browser_Top_Sites_$UserName"
# QQ Browser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "QQ_Browser_Trust_Tokens_$UserName"
# QQ Browser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_SyncData_Database_$UserName"
# QQ Browser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "QQ_Browser_Visited_Links_$UserName"
# QQ Browser Web Data
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "QQ_Browser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# QQ Browser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Tencent\QQBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "QQ_Browser_Snapshots_Folder_$UserName"
# Supermium Bookmarks XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Supermium_Bookmarks_XP_$UserName"
# Supermium Cookies XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Supermium_Cookies_XP_$UserName"
# Supermium Current Session XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Supermium_Current_Session_XP_$UserName"
# Supermium Current Tabs XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Supermium_Current_Tabs_XP_$UserName"
# Supermium Favicons XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Supermium_Favicons_XP_$UserName"
# Supermium History XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Supermium_History_XP_$UserName"
# Supermium Last Session XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Supermium_Last_Session_XP_$UserName"
# Supermium Last Tabs XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Supermium_Last_Tabs_XP_$UserName"
# Supermium Sessions Folder XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Sessions_Folder_XP_$UserName"
# Supermium Network Action Predictor XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Supermium_Network_Action_Predictor_XP_$UserName"
# Supermium Network Persistent State XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Supermium_Network_Persistent_State_XP_$UserName"
# Supermium Login Data XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Supermium_Login_Data_XP_$UserName"
# Supermium Preferences XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Supermium_Preferences_XP_$UserName"
# Supermium Reporting and NEL XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Supermium_Reporting_and_NEL_XP_$UserName"
# Supermium Trust Tokens XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Supermium_Trust_Tokens_XP_$UserName"
# Supermium SyncData Database XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_SyncData_Database_XP_$UserName"
# Supermium Shortcuts XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Supermium_Shortcuts_XP_$UserName"
# Supermium Top Sites XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Supermium_Top_Sites_XP_$UserName"
# Supermium Visited Links XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Supermium_Visited_Links_XP_$UserName"
# Supermium Web Data XP
$UserPath = "$($_.FullName)\Application Data\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Supermium_Web_Data_XP_$UserName"
# Supermium Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Supermium_Bookmarks_$UserName"
# Supermium Cookies
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Supermium_Cookies_$UserName"
# Supermium Current Session
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Supermium_Current_Session_$UserName"
# Supermium Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Supermium_Current_Tabs_$UserName"
# Supermium Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Supermium_Download_Metadata_$UserName"
# Supermium Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Supermium_Extension_Cookies_$UserName"
# Supermium Favicons
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Supermium_Favicons_$UserName"
# Supermium History
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Supermium_History_$UserName"
# Supermium Last Session
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Supermium_Last_Session_$UserName"
# Supermium Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Supermium_Last_Tabs_$UserName"
# Supermium Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Sessions_Folder_$UserName"
# Supermium Login Data
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Supermium_Login_Data_$UserName"
# Supermium Media History
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Supermium_Media_History_$UserName"
# Supermium Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Supermium_Network_Action_Predictor_$UserName"
# Supermium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Supermium_Network_Persistent_State_$UserName"
# Supermium Preferences
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Supermium_Preferences_$UserName"
# Supermium Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Supermium_Secure_Preferences_$UserName"
# Supermium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Supermium_Quota_Manager_$UserName"
# Supermium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Supermium_Reporting_and_NEL_$UserName"
# Supermium Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Supermium_Shortcuts_$UserName"
# Supermium Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Supermium_Top_Sites_$UserName"
# Supermium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Supermium_Trust_Tokens_$UserName"
# Supermium SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_SyncData_Database_$UserName"
# Supermium Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Supermium_Visited_Links_$UserName"
# Supermium Web Data
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Supermium_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Supermium Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Supermium\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Supermium_Snapshots_Folder_$UserName"
# UCBrowser Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "UCBrowser_Bookmarks_$UserName"
# UCBrowser Cookies
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "UCBrowser_Cookies_$UserName"
# UCBrowser Current Session
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "UCBrowser_Current_Session_$UserName"
# UCBrowser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "UCBrowser_Current_Tabs_$UserName"
# UCBrowser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "UCBrowser_Download_Metadata_$UserName"
# UCBrowser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "UCBrowser_Extension_Cookies_$UserName"
# UCBrowser Favicons
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "UCBrowser_Favicons_$UserName"
# UCBrowser History
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "UCBrowser_History_$UserName"
# UCBrowser Last Session
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "UCBrowser_Last_Session_$UserName"
# UCBrowser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "UCBrowser_Last_Tabs_$UserName"
# UCBrowser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_Sessions_Folder_$UserName"
# UCBrowser Login Data
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "UCBrowser_Login_Data_$UserName"
# UCBrowser Media History
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "UCBrowser_Media_History_$UserName"
# UCBrowser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "UCBrowser_Network_Action_Predictor_$UserName"
# UCBrowser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "UCBrowser_Network_Persistent_State_$UserName"
# UCBrowser Preferences
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "UCBrowser_Preferences_$UserName"
# UCBrowser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "UCBrowser_Quota_Manager_$UserName"
# UCBrowser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "UCBrowser_Reporting_and_NEL_$UserName"
# UCBrowser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "UCBrowser_Shortcuts_$UserName"
# UCBrowser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "UCBrowser_Top_Sites_$UserName"
# UCBrowser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "UCBrowser_Trust_Tokens_$UserName"
# UCBrowser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_SyncData_Database_$UserName"
# UCBrowser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "UCBrowser_Visited_Links_$UserName"
# UCBrowser Web Data
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "UCBrowser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# UCBrowser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\UCBrowser\User Data*\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "UCBrowser_Snapshots_Folder_$UserName"
# Vivaldi Cookies
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Vivaldi_Cookies_$UserName"
# Vivaldi Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Vivaldi_Network_Persistent_State_$UserName"
# Vivaldi Favicons
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Vivaldi_Favicons_$UserName"
# Vivaldi History
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Vivaldi_History_$UserName"
# Vivaldi Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Vivaldi_Sessions_Folder_$UserName"
# Vivaldi Login Data
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Vivaldi_Login_Data_$UserName"
# Vivaldi Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Vivaldi_Network_Action_Predictor_$UserName"
# Vivaldi Preferences
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Vivaldi_Preferences_$UserName"
# Vivaldi Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Vivaldi_Secure_Preferences_$UserName"
# Vivaldi Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Vivaldi_Top_Sites_$UserName"
# Vivaldi Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Vivaldi_Bookmarks_$UserName"
# Vivaldi Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Vivaldi_Visited_Links_$UserName"
# Vivaldi Web Data
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Vivaldi_Web_Data_$UserName"
# Vivaldi User Tracking
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask ".vivaldi_reporting_data*" -FolderName "Vivaldi_User_Tracking_$UserName"
# Vivaldi Calendar
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Calendar*" -FolderName "Vivaldi_Calendar_$UserName"
# Vivaldi Contacts
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Contacts*" -FolderName "Vivaldi_Contacts_$UserName"
# Vivaldi Notes
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Notes*" -FolderName "Vivaldi_Notes_$UserName"
# Vivaldi Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Vivaldi\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata*" -FolderName "Vivaldi_Download_Metadata_$UserName"
# WaveBrowser bookmarks
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "WaveBrowser_bookmarks_$UserName"
# WaveBrowser Cookies
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "WaveBrowser_Cookies_$UserName"
# WaveBrowser Current Session
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "WaveBrowser_Current_Session_$UserName"
# WaveBrowser Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "WaveBrowser_Current_Tabs_$UserName"
# WaveBrowser Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "WaveBrowser_Download_Metadata_$UserName"
# WaveBrowser Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "WaveBrowser_Extension_Cookies_$UserName"
# WaveBrowser Favicons
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "WaveBrowser_Favicons_$UserName"
# WaveBrowser History
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "WaveBrowser_History_$UserName"
# WaveBrowser Last Session
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "WaveBrowser_Last_Session_$UserName"
# WaveBrowser Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "WaveBrowser_Last_Tabs_$UserName"
# WaveBrowser Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "WaveBrowser_Sessions_Folder_$UserName"
# WaveBrowser Login Data
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "WaveBrowser_Login_Data_$UserName"
# WaveBrowser Media History
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "WaveBrowser_Media_History_$UserName"
# WaveBrowser Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "WaveBrowser_Network_Action_Predictor_$UserName"
# WaveBrowser Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "WaveBrowser_Network_Persistent_State_$UserName"
# WaveBrowser Preferences
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "WaveBrowser_Preferences_$UserName"
# WaveBrowser Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "WaveBrowser_Secure_Preferences_$UserName"
# WaveBrowser Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "WaveBrowser_Quota_Manager_$UserName"
# WaveBrowser Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "WaveBrowser_Reporting_and_NEL_$UserName"
# WaveBrowser Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "WaveBrowser_Shortcuts_$UserName"
# WaveBrowser Top Sites
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "WaveBrowser_Top_Sites_$UserName"
# WaveBrowser Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "WaveBrowser_Trust_Tokens_$UserName"
# WaveBrowser SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "WaveBrowser_SyncData_Database_$UserName"
# WaveBrowser Visited Links
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "WaveBrowser_Visited_Links_$UserName"
# WaveBrowser Web Data
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "WaveBrowser_Web_Data_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# WaveBrowser Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\WaveBrowser\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "WaveBrowser_Snapshots_Folder_$UserName"
# Yandex Cookies
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Yandex_Cookies_$UserName"
# Yandex Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Yandex_Network_Persistent_State_$UserName"
# Yandex Favicons
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Yandex_Favicons_$UserName"
# Yandex History
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Yandex_History_$UserName"
# Yandex Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Yandex_Sessions_Folder_$UserName"
# Yandex Login Data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Ya Passman Data*" -FolderName "Yandex_Login_Data_$UserName"
# Yandex Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Yandex_Network_Action_Predictor_$UserName"
# Yandex Preferences
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Yandex_Preferences_$UserName"
# Yandex Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Yandex_Top_Sites_$UserName"
# Yandex Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Yandex_Bookmarks_$UserName"
# Yandex Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Yandex_Visited_Links_$UserName"
# Yandex Web Data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Yandex_Web_Data_$UserName"
# Yandex Autofill data
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Ya Autofill Data*" -FolderName "Yandex_Autofill_data_$UserName"
# Yandex Passman logs
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Passman Logs*" -FolderName "Yandex_Passman_logs_$UserName"
# Yandex Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Yandex\YandexBrowser\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Yandex_Shortcuts_$UserName"
# WindowsIndexSearch - User
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*"
Collect-Artifact -SourceDir $UserPath -FolderName "WindowsIndexSearch_User_$UserName"
# GatherLogs - User
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs"
Collect-Artifact -SourceDir $UserPath -FolderName "GatherLogs_User_$UserName"
# ActivitiesCache.db
$UserPath = "$($_.FullName)\AppData\Local\ConnectedDevicesPlatform"
Collect-Artifact -SourceDir $UserPath -FileMask "ActivitiesCache.db*" -FolderName "ActivitiesCache_db_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 23 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.