Symantec_AV_Logs

# PowerShell Artifact Collection Script
# Target: Symantec_AV_Logs
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Symantec Endpoint Protection Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV" -FolderName "Symantec_Endpoint_Protection_Logs_XP"

# 2. Symantec Endpoint Protection Logs
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs" -FolderName "Symantec_Endpoint_Protection_Logs"

# 3. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"

# 4. Symantec Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Symantec Endpoint Protection Client.evtx" -FolderName "Symantec_Event_Log_Win7"

# 5. Symantec Endpoint Protection Quarantine (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine_XP"

# 6. Symantec Endpoint Protection Quarantine
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine" -FolderName "Symantec_Endpoint_Protection_Quarantine"

# 7. ccSubSDK Database
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK" -FolderName "ccSubSDK_Database"

# 8. registrationInfo.xml
Collect-Artifact -SourceDir "C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data" -FileMask "registrationInfo.xml" -FolderName "registrationInfo_xml"

# 9. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"

# 10. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"

# 11. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"

# 12. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Symantec Endpoint Protection User Logs
        $UserPath = "$($_.FullName)\AppData\Local\Symantec\Symantec Endpoint Protection\Logs"
        Collect-Artifact -SourceDir $UserPath -FolderName "Symantec_Endpoint_Protection_User_Logs_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green