WindowsOSUpgradeArtifacts
Windowsv1.1
Author: Andrew Rathbun
description
Windows OS Upgrade Artifacts
paths
5 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: WindowsOSUpgradeArtifacts
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. MigLog.xml
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "MigLog.xml" -FolderName "MigLog_xml"
# 2. Setupact.log
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "Setupact.log" -FolderName "Setupact_log"
# 3. HumanReadable.xml
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "*HumanReadable.xml" -FolderName "HumanReadable_xml"
# 4. FolderMoveLog.txt
Collect-Artifact -SourceDir "C:\Windows\Panther\Rollback" -FileMask "FolderMoveLog.txt" -FolderName "FolderMoveLog_txt"
# 5. Update Store.db
Collect-Artifact -SourceDir "C:\ProgramData\USOPrivate\UpdateStore" -FileMask "store.db" -FolderName "Update_Store_db"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1