dfirhub

Slack

Appsv1.1

Author: Andrew Rathbun and Chad Tilbury

description

Slack

paths

5 paths
AppsSlack - Chat Logs
C:\Users\%user%\AppData\Roaming\Slack\IndexedDB\

Locates Slack logs and copies them

AppsSlack LevelDB Files
C:\Users\%user%\AppData\Roaming\Slack\Local Storage\leveldb
AppsSlack Electron Logs
C:\Users\%user%\AppData\Roaming\Slack\logs\

Current Slack application is based on Electron and additional logging can be found here.

AppsSlack Cache
C:\Users\%user%\AppData\Roaming\Slack\Cache

Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView

AppsSlack Storage
C:\Users\%user%\AppData\Roaming\Slack\storage\

User activity logs can be present including slack-downloads log

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Slack
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Slack - Chat Logs
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Slack\IndexedDB\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Slack___Chat_Logs"

# 2. Slack LevelDB Files
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Slack\Local Storage\leveldb"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Slack_LevelDB_Files"

# 3. Slack Electron Logs
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Slack\logs\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Slack_Electron_Logs"

# 4. Slack Cache
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Slack\Cache"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Slack_Cache"

# 5. Slack Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Slack\storage\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Slack_Storage"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

included in collections

SANS_Triage MessagingClients