SumatraPDF

Appsv1.1

Author: Andrew Rathbun

description

SumatraPDF

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: SumatraPDF
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # SumatraPDF Settings - SessionData
        $UserPath = "$($_.FullName)\AppData\Local\SumatraPDF"
        Collect-Artifact -SourceDir $UserPath -FileMask "SumatraPDF-settings.txt" -FolderName "SumatraPDF_Settings_SessionData_$UserName"
        # SumatraPDF Cache
        $UserPath = "$($_.FullName)\AppData\Local\SumatraPDF\sumatrapdfcache"
        Collect-Artifact -SourceDir $UserPath -FolderName "SumatraPDF_Cache_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

sumatrapdfreader.org https://www.sumatrapdfreader.org/settings/settings.html

notes

In the above link, search for SessionData to warp to the applicable information you can find for what documents the user had opened within SumatraPDF at the last time of program exit

I've had 170+ PDFs opened at once with SumatraPDF and each of their full file paths were recorded within this file. Very useful!

Here's an example of some information you'll see about PDFs that've been opened with SumatraPDF

OpenCount = 1

DecryptionKey = 8cfbabc34e8d846dffb53b90c9g2acb5es82d9c86f314cb5aa7a1adfc66f76e800000000000000000000000000000000

DecryptionKey only exists if the user chooses to remember the password for a PDF that's password protected

// description

// paths

// collection commands

// references

// notes

description

paths

collection commands

references

notes