$SDS

Windowsv1.1

Author: Eric Zimmerman and Andrew Rathbun

description

$SDS

paths

2 paths

FileSystem$SDS

C:\$Secure:$SDS

FileSystem$SDS

C:\$Secure_$SDS

This is for the use case when you're running this Target against a mounted VHDX with these files already pulled from a live system. The above Target is looking for the files as an ADS whereas once they are already pulled they no longer match the ADS criteria and therefore are missed

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: $SDS
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. $SDS
Collect-Artifact -SourcePath "C:\\$Secure:$SDS" -FolderName "_SDS"

# 2. $SDS
Collect-Artifact -SourcePath "C:\\$Secure_$SDS" -FolderName "_SDS"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1