dfirhub

WindowsOSUpgradeArtifacts

Windowsv1.1

Author: Andrew Rathbun

description

Windows OS Upgrade Artifacts

paths

5 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: WindowsOSUpgradeArtifacts
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. MigLog.xml
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "MigLog.xml" -FolderName "MigLog_xml"

# 2. Setupact.log
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "Setupact.log" -FolderName "Setupact_log"

# 3. HumanReadable.xml
Collect-Artifact -SourceDir "C:\Windows\Panther" -FileMask "*HumanReadable.xml" -FolderName "HumanReadable_xml"

# 4. FolderMoveLog.txt
Collect-Artifact -SourceDir "C:\Windows\Panther\Rollback" -FileMask "FolderMoveLog.txt" -FolderName "FolderMoveLog_txt"

# 5. Update Store.db
Collect-Artifact -SourceDir "C:\ProgramData\USOPrivate\UpdateStore" -FileMask "store.db" -FolderName "Update_Store_db"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

notes

#MigLog.xml appears to provide a large list of settings, users, and other configuration settings that have been migrated from one OS version to another

There appears to be a lot of registry entries that are enumerated within this log, so this can serve as a potentially good snapshot in time of a user's system registry

Setupact.log has some good information about the hardware configuration of the system, current antivirus, and what appears to be an enumeration of the registry keys/subkeys

Setupact.log appears to provide good historical information about a system at the time of OS Upgrade (i.e. W10 2004 upgrading to W10 20H2)

On my personal system, MigLog.xml was 245mb and setupact.log was 151mb, so be cognizant of the potentially large file size of these artifacts compared to other artifacts that store this same information

*_APPRAISER_HumanReadable.xml and FolderMoveLog.txt appear to have human readable and therefore potentially forensically interesting information located within. They aren't as large as the other files so they won't bloat any targeted collection

Store.db appears to be a SQLite database which stores a record of every Windows Update installed