TablacusExplorer

Appsv1

Author: Andrew Rathbun

description

Tablacus Explorer

paths

3 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: TablacusExplorer
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Tablacus Explorer - remember.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "remember.xml" -FolderName "Tablacus_Explorer_remember_xml_$UserName"
        # Tablacus Explorer - window.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "window.xml" -FolderName "Tablacus_Explorer_window_xml_$UserName"
        # Tablacus Explorer - window1.xml
        $UserPath = "$($_.FullName)\AppData\Local\Temp\*\config"
        Collect-Artifact -SourceDir $UserPath -FileMask "window1.xml" -FolderName "Tablacus_Explorer_window1_xml_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

tablacus.github.io https://tablacus.github.io/explorer_en.html

notes

Tablacus Explorer is a free, open-source orthodox file manager that is completely portable. No installation is needed. Therefore, the registry is not touched nor are there reliable file system locations for artifacts.

However, the .\AppData\Local\Temp\ directory may come in handy. I noticed that copies of the XML files in my local Tablacus Explorer folder were located there.

My folder path had dtemp-d2fffa101683078-60.dop in place of the asterisk, so I'm guessing that's randomized with each install. As a precaustion, I used an asterisk.

Window and Window1.xml will have information regarding to what the user had open in each window at the time.

Please note that Tablacus Explorer has an add-on for up to 9 tabs to be open at once.

Remember.xml is likely tied to the plugin "Remember folder view settings" that ships with Tablacus Explorer. It can be disabled at any time.

included in collections

FileExplorerReplacements

// description

// paths

// collection commands

// references

// notes

// included in collections