dfirhub

USBDetective

Compoundv1

Author: Kevin Pagano

description

Collects files that can be input into USB Detective for parsing

includes (7)

paths

74 pathsfrom 7 targets
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: USBDetective
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Setupapi.log XP
Collect-Artifact -SourceDir "C:\Windows" -FileMask "setupapi.log" -FolderName "Setupapi_log_XP"

# 2. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"

# 3. Setupapi.log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\inf" -FileMask "setupapi.*.log" -FolderName "Setupapi_log_Win7"

# 4. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"

# 5. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"

# 6. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"

# 7. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"

# 8. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"

# 9. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"

# 10. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"

# 11. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"

# 12. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"

# 13. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"

# 14. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"

# 15. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"

# 16. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"

# 17. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"

# 18. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"

# 19. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"

# 20. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"

# 21. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"

# 22. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"

# 23. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"

# 24. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"

# 25. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"

# 26. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"

# 27. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"

# 28. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"

# 29. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"

# 30. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"

# 31. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"

# 32. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"

# 33. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"

# 34. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"

# 35. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"

# 36. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"

# 37. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"

# 38. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"

# 39. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"

# 40. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"

# 41. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"

# 42. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"

# 43. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"

# 44. System Restore Points Registry Hives (XP)
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*\snapshot" -FileMask "_REGISTRY_*" -FolderName "System_Restore_Points_Registry_Hives_XP"

# 45. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"

# 46. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"

# 47. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"

# 48. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"

# 49. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Program Files\WindowsApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"

# 50. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Windows\SystemApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"

# 51. Event logs XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "*.evt" -FolderName "Event_logs_XP"

# 52. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"

# 53. Event logs Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "*.evtx" -FolderName "Event_logs_Win7"

# 54. Restore point LNK Files XP
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*" -FileMask "*.LNK" -FolderName "Restore_point_LNK_Files_XP"

# 55. LNK Files from C:\ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" -FileMask "*.LNK" -FolderName "LNK_Files_from_C_ProgramData"

# 56. Amcache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"

# 57. Amcache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"

# 58. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"

# 59. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # NTUSER.DAT registry hive XP
        $UserPath = $_.FullName
        Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_XP_$UserName"
        # NTUSER.DAT registry hive
        $UserPath = $_.FullName
        Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_$UserName"
        # NTUSER.DAT registry transaction files
        $UserPath = $_.FullName
        Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT.LOG*" -FolderName "NTUSER_DAT_registry_transaction_files_$UserName"
        # UsrClass.dat registry hive
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
        Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat*" -FolderName "UsrClass_dat_registry_hive_$UserName"
        # UsrClass.dat registry transaction files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
        Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat.LOG*" -FolderName "UsrClass_dat_registry_transaction_files_$UserName"
        # Registry.dat MSIX Hive
        $UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
        Collect-Artifact -SourceDir $UserPath -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive_$UserName"
        # settings.dat MSIX Hive
        $UserPath = "$($_.FullName)\AppData\Local\Packages\*\Settings"
        Collect-Artifact -SourceDir $UserPath -FileMask "settings.dat*" -FolderName "settings_dat_MSIX_Hive_$UserName"
        # User.dat MSIX Hive
        $UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
        Collect-Artifact -SourceDir $UserPath -FileMask "User.dat*" -FolderName "User_dat_MSIX_Hive_$UserName"
        # UserClasses.dat MSIX Hive
        $UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
        Collect-Artifact -SourceDir $UserPath -FileMask "UserClasses.dat*" -FolderName "UserClasses_dat_MSIX_Hive_$UserName"
        # LNK Files from Recent
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Recent"
        Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_$UserName"
        # LNK Files from Microsoft Office Recent
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Office\Recent"
        Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Microsoft_Office_Recent_$UserName"
        # Start Menu LNK Files
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Start_Menu_LNK_Files_$UserName"
        # LNK Files from Recent (XP)
        $UserPath = "$($_.FullName)\Recent"
        Collect-Artifact -SourceDir $UserPath -FolderName "LNK_Files_from_Recent_XP_$UserName"
        # Desktop LNK Files XP
        $UserPath = "$($_.FullName)\Desktop"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_XP_$UserName"
        # Desktop LNK Files
        $UserPath = "$($_.FullName)\Desktop"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.LNK" -FolderName "Desktop_LNK_Files_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 5 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

notes

For more information on USB Detective go here: https://usbdetective.com/features/