VLC Media Player
Appsv1
Author: Matt Dawson
description
VLC Media Player
paths
2 paths
AppsVLC Recently Opened Files
C:\Users\%user%\AppData\Roaming\vlc\vlc-qt-interface.iniConfiguration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening
AppsVLC Recorded Files
C:\Users\%user%\Videos\vlc-*.aviRecorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: VLC Media Player
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. VLC Recently Opened Files
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\vlc\"
Collect-Artifact -SourcePath "$UserPath\vlc-qt-interface.ini" -FolderName "VLC_Recently_Opened_Files"
# 2. VLC Recorded Files
$UserPath = Join-Path $env:USERPROFILE "Videos\"
Collect-Artifact -SourcePath "$UserPath\vlc-*.avi" -FolderName "VLC_Recorded_Files"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1