UsenetClients
Compoundv1
Author: Andrew Rathbun
description
Usenet Clients
includes (4)
paths
6 pathsfrom 4 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: UsenetClients
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Usenet Clients - NZBGet Log File
Collect-Artifact -SourceDir "C:\ProgramData\NZBGet" -FileMask "nzbget.log" -FolderName "Usenet_Clients_NZBGet_Log_File"
# 2. Usenet Clients - NZBGet NZBs
Collect-Artifact -SourceDir "C:\ProgramData\NZBGet\nzb" -FolderName "Usenet_Clients_NZBGet_NZBs"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Usenet Clients - Newsbin Pro
$UserPath = "$($_.FullName)\AppData\Local\Newsbin"
Collect-Artifact -SourceDir $UserPath -FileMask "Downloaded.db3" -FolderName "Usenet_Clients_Newsbin_Pro_$UserName"
# Usenet Clients - Newsleecher
$UserPath = "$($_.FullName)\AppData\Roaming\NewsLeecher"
Collect-Artifact -SourceDir $UserPath -FileMask "downloaded.dat" -FolderName "Usenet_Clients_Newsleecher_$UserName"
# Usenet Clients - SABnzbd Download Logs
$UserPath = "$($_.FullName)\AppData\Local\sabnzbd\logs"
Collect-Artifact -SourceDir $UserPath -FileMask "sabnzbd.log" -FolderName "Usenet_Clients_SABnzbd_Download_Logs_$UserName"
# Usenet Clients - SABnzbd History.db
$UserPath = "$($_.FullName)\AppData\Local\sabnzbd\admin"
Collect-Artifact -SourceDir $UserPath -FileMask "history1.db" -FolderName "Usenet_Clients_SABnzbd_History_db_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 4 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
notes
For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_Usenet_newsreaders.
Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.