VLC Media Player

Appsv1

Author: Matt Dawson

description

VLC Media Player

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: VLC Media Player
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. VLC Recently Opened Files
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\vlc\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "vlc-qt-interface.ini" -FolderName "VLC_Recently_Opened_Files"

# 2. VLC Recorded Files
$UserPath = Join-Path $env:USERPROFILE "Videos\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "vlc-*.avi" -FolderName "VLC_Recorded_Files"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

https://www.forensicfocus.com/forums/general/vlc-recent-files/

https://superuser.com/questions/287137/does-vlc-media-player-store-the-files-or-its-history-in-a-hidden-location/1206411

https://www.forensafe.com/blogs/vlc.html

// description

// paths

// collection commands

// references

description

paths

collection commands

references