Soulseek

P2Pv1.1

Author: Andrew Rathbun

description

Soulseek

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Soulseek
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Soulseek Chat Logs
        $UserPath = "$($_.FullName)\AppData\Local\SoulseekQt\Soulseek Chat Logs"
        Collect-Artifact -SourceDir $UserPath -FolderName "Soulseek_Chat_Logs_$UserName"
        # Soulseek Search History/Shared Folders/Settings
        $UserPath = "$($_.FullName)\AppData\Local\SoulseekQt\1"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.dat" -FolderName "Soulseek_Search_History_Shared_Folders_Settings_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

en.wikipedia.org https://en.wikipedia.org/wiki/Soulseek

notes

Soulseek is a very popular file sharing client. It's most commonly used for sharing MP3's amongst music enthusiasts. However, any file type can be shared, naturally.

Logs are stored as .dat files. Open with your favorite text editor that's not named Notepad or Wordpad and you should have an easy enough time using Ctrl+F to search for relevant data.

Chats are stored in plaintext. These can be opened in any text editor and are human readable.

included in collections

P2PClients

// description

// paths

// collection commands

// references

// notes

// included in collections