Slack
Author: Andrew Rathbun and Chad Tilbury
description
Slack
paths
collection commands
# PowerShell Artifact Collection Script
# Target: Slack
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Slack - Chat Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Chat_Logs_$UserName"
# Slack LevelDB Files
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_LevelDB_Files_$UserName"
# Slack Electron Logs
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\logs"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Electron_Logs_$UserName"
# Slack Cache
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\Cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Cache_$UserName"
# Slack Storage
$UserPath = "$($_.FullName)\AppData\Roaming\Slack\storage"
Collect-Artifact -SourceDir $UserPath -FolderName "Slack_Storage_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
references
notes
Slack is a popular chat/collaboration platform that is used by many organizations worldwide.
Within the IndexedDB folder, there will be another folder that does not appear to be server-specific like Mattermost. I'm in two Slack workspaces but separate folders do not appear to be created for each Slack workspace.
Within this folder, there will be a .log file for each Slack workspace. Slack must be exited properly in order for new logs to commit to this directory. My two log files were named .000039.log and .000041.log, respectively. This is where you should concentrate your analysis.
Unlike Mattermost, there are no timestamped by the keystroke entries. The log files are also harder to visually parse through compared to Mattermost's log files.
Thankfully, these logs appear to be more exhaustive than Mattermost's. Use the following search term in your text editor of choice to zoom to the message content: subtype_
It should be noted there appears to be .ldb (Microsoft Access Record-Locking Information) files that don't seem to have as much information once the .log file is converted to .ldb upon application exit.