@echo off setlocal EnableExtensions EnableDelayedExpansion REM ===================================================== REM ____ _ ____ ____ _ _ REM | _ \ __ _ _ ____ _( )___ / ___| _ \| | | | REM | |_) / _` | '__\ \ / /|// __|| | | | | | | | | REM | __/ (_| | | \ V / \__ \| |___| |_| | |_| | REM |_| \__,_|_| \_/ |___(_)____|____/ \___/ REM REM Parv's Case Download Utility (PCDU) REM Downloads case files from analysis server REM ===================================================== REM Check for pscp.exe (PuTTY SCP) or scp.exe set "SCP_TOOL=" where pscp.exe >nul 2>&1 if !ERRORLEVEL! EQU 0 ( set "SCP_TOOL=pscp.exe" set "SCP_TYPE=PSCP" ) else ( where scp.exe >nul 2>&1 if !ERRORLEVEL! EQU 0 ( set "SCP_TOOL=scp.exe" set "SCP_TYPE=SCP" ) ) if "%SCP_TOOL%"=="" ( echo ERROR: Neither pscp.exe nor scp.exe found in PATH. echo. echo Please install one of the following: echo - PuTTY ^(includes pscp.exe^) - https://www.putty.org/ echo - OpenSSH Client ^(includes scp.exe^) - Built into Windows 10/11 echo. pause exit /b 1 ) REM ===================================================== REM Configuration REM ===================================================== set "REMOTE_SERVER=sjanalysis.citrite.net" set "REMOTE_BASE_PATH=/upload/ftp" REM Prompt for case number if not provided if "%~1"=="" ( set /p CASENO=Enter Case Number: ) else ( set "CASENO=%~1" ) if "%CASENO%"=="" ( echo ERROR: Case number cannot be empty. exit /b 1 ) REM Prompt for credentials if not provided if "%~2"=="" ( set /p USERNAME=Enter SSH Username: ) else ( set "USERNAME=%~2" ) if "%USERNAME%"=="" ( echo ERROR: Username cannot be empty. exit /b 1 ) if "%~3"=="" ( echo Enter SSH Password for %USERNAME%@%REMOTE_SERVER%: set /p PASSWORD= ) else ( set "PASSWORD=%~3" ) REM ===================================================== REM Paths REM ===================================================== set "REMOTE_CASE_PATH=%REMOTE_BASE_PATH%/%CASENO%" set "DEST=%USERPROFILE%\Downloads\SJLNT\%CASENO%" set "LOGFILE=%DEST%\download_%CASENO%.log" set "TEMP_LIST=%TEMP%\caselist_%CASENO%.txt" set "TEMP_FILTERED=%TEMP%\filtered_%CASENO%.txt" set "COLLECTOR_LIST=%TEMP%\collectors_%CASENO%.txt" set "ALL_FILES_LIST=%TEMP%\allfiles_%CASENO%.txt" echo. echo ============================================================ echo ^|^> Parv's Case Download Utility ^(PCDU^) v1.0 echo ============================================================ echo Case Number : %CASENO% echo Remote Server : %REMOTE_SERVER% echo Remote Path : %REMOTE_CASE_PATH% echo Local Dest : %DEST% echo SCP Tool : %SCP_TYPE% echo User : %USERNAME% echo ============================================================ echo. REM Create destination if missing if not exist "%DEST%" ( mkdir "%DEST%" 2>nul || ( echo ERROR: Failed to create destination folder: %DEST% exit /b 1 ) echo Created destination folder. ) REM Create subdirectories for organization if not exist "%DEST%\configs" mkdir "%DEST%\configs" if not exist "%DEST%\captures" mkdir "%DEST%\captures" if not exist "%DEST%\media" mkdir "%DEST%\media" REM Initialize log file echo ============================================================ > "%LOGFILE%" echo Parv's Case Download Utility ^(PCDU^) - Download Log >> "%LOGFILE%" echo ============================================================ >> "%LOGFILE%" echo Case Number : %CASENO% >> "%LOGFILE%" echo Date/Time : %DATE% %TIME% >> "%LOGFILE%" echo Remote Server: %REMOTE_SERVER% >> "%LOGFILE%" echo User : %USERNAME% >> "%LOGFILE%" echo ============================================================ >> "%LOGFILE%" echo. >> "%LOGFILE%" REM ===================================================== REM Test SSH connection and verify case directory REM ===================================================== echo [1/5] Testing SSH connection... echo [1/5] Testing SSH connection... >> "%LOGFILE%" if "%SCP_TYPE%"=="PSCP" ( echo y | plink.exe -batch -pw "%PASSWORD%" %USERNAME%@%REMOTE_SERVER% "test -d %REMOTE_CASE_PATH% && echo OK || echo NOTFOUND" 2>nul | findstr /V /C:"Keyboard" /C:"prompts from server" > "%TEMP_LIST%" ) else ( sshpass -p "%PASSWORD%" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL %USERNAME%@%REMOTE_SERVER% "test -d %REMOTE_CASE_PATH% && echo OK || echo NOTFOUND" > "%TEMP_LIST%" 2>&1 ) if !ERRORLEVEL! NEQ 0 ( echo ERROR: SSH connection failed. >> "%LOGFILE%" type "%TEMP_LIST%" >> "%LOGFILE%" echo ERROR: SSH connection failed. echo Check credentials and network connectivity. echo See log: %LOGFILE% del "%TEMP_LIST%" 2>nul pause exit /b 1 ) findstr /C:"OK" "%TEMP_LIST%" >nul if !ERRORLEVEL! NEQ 0 ( echo ERROR: Case directory not found on server: %REMOTE_CASE_PATH% >> "%LOGFILE%" echo ERROR: Case directory not found on server. echo Path: %REMOTE_CASE_PATH% echo Please verify the case number. del "%TEMP_LIST%" 2>nul pause exit /b 1 ) echo Connection successful. echo Connection successful. >> "%LOGFILE%" REM ===================================================== REM Single SSH call to get all required info REM Collectors + All files in case root REM ===================================================== echo. echo [2/5] Scanning case directory... echo [2/5] Scanning case directory... >> "%LOGFILE%" if "%SCP_TYPE%"=="PSCP" ( plink.exe -batch -pw "%PASSWORD%" %USERNAME%@%REMOTE_SERVER% "echo '===COLLECTORS==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type d -name 'collector_*' 2>/dev/null; echo '===FILES==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type f \( -name '*.cap' -o -name '*.pcap' -o -name '*.pcapng' -o -name '*.sslkeys' -o -name '*.keys' -o -name '*.har' -o -name '*.xml' -o -name '*.jpg' -o -name '*.jpeg' -o -name '*.png' -o -name '*.gif' -o -name '*.bmp' -o -name '*.webp' -o -name '*.tiff' -o -name '*.svg' -o -name '*.txt' -o -name '*.log' -o -name '*.csv' -o -name '*.json' \) 2>/dev/null" 2>nul | findstr /V /C:"Keyboard" /C:"prompts from server" > "%ALL_FILES_LIST%" ) else ( sshpass -p "%PASSWORD%" ssh -o StrictHostKeyChecking=no %USERNAME%@%REMOTE_SERVER% "echo '===COLLECTORS==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type d -name 'collector_*' 2>/dev/null; echo '===FILES==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type f \( -name '*.cap' -o -name '*.pcap' -o -name '*.pcapng' -o -name '*.sslkeys' -o -name '*.keys' -o -name '*.har' -o -name '*.xml' -o -name '*.jpg' -o -name '*.jpeg' -o -name '*.png' -o -name '*.gif' -o -name '*.bmp' -o -name '*.webp' -o -name '*.tiff' -o -name '*.svg' -o -name '*.txt' -o -name '*.log' -o -name '*.csv' -o -name '*.json' \) 2>/dev/null" > "%ALL_FILES_LIST%" ) REM Parse collectors from combined output set "IN_COLLECTORS=0" set "IN_FILES=0" echo. > "%COLLECTOR_LIST%" echo. > "%TEMP_LIST%" for /f "usebackq delims=" %%A in ("%ALL_FILES_LIST%") do ( set "LINE=%%A" REM Check for section markers echo !LINE! | findstr /C:"===COLLECTORS===" >nul if !ERRORLEVEL! EQU 0 ( set "IN_COLLECTORS=1" set "IN_FILES=0" ) else ( echo !LINE! | findstr /C:"===FILES===" >nul if !ERRORLEVEL! EQU 0 ( set "IN_COLLECTORS=0" set "IN_FILES=1" ) else ( REM Skip empty lines and filter noise if not "!LINE!"=="" ( echo !LINE! | findstr /C:"Keyboard" /C:"prompts" /C:"authentication" >nul if !ERRORLEVEL! NEQ 0 ( if !IN_COLLECTORS! EQU 1 ( echo !LINE!>> "%COLLECTOR_LIST%" ) if !IN_FILES! EQU 1 ( echo !LINE!>> "%TEMP_LIST%" ) ) ) ) ) ) REM Count collectors set "COLLECTOR_COUNT=0" for /f "usebackq delims=" %%A in ("%COLLECTOR_LIST%") do ( set "LINE=%%A" if not "!LINE!"=="" ( echo !LINE! | findstr /C:"collector_" >nul if !ERRORLEVEL! EQU 0 ( set /a COLLECTOR_COUNT+=1 for %%B in ("!LINE!") do echo Found: %%~nxB echo Found collector: !LINE! >> "%LOGFILE%" ) ) ) if %COLLECTOR_COUNT% EQU 0 ( echo No collector bundles found. echo No collector bundles found. >> "%LOGFILE%" ) else ( echo Total collectors found: %COLLECTOR_COUNT% ) REM ===================================================== REM Download Saved Config (ns.conf from nsconfig folder) REM Inside collector bundles only REM ===================================================== echo. echo [3/5] Downloading saved configurations ^(ns.conf^)... echo [3/5] Downloading saved configurations... >> "%LOGFILE%" set "CONFIG_COUNT=0" for /f "usebackq delims=" %%C in ("%COLLECTOR_LIST%") do ( set "COLLECTOR_PATH=%%C" REM Skip empty lines and filter noise if not "!COLLECTOR_PATH!"=="" ( echo !COLLECTOR_PATH! | findstr /C:"collector_" >nul if !ERRORLEVEL! EQU 0 ( for %%D in ("!COLLECTOR_PATH!") do set "COLLECTOR_NAME=%%~nxD" echo Checking !COLLECTOR_NAME!... set "DEST_FILENAME=ns.conf_!COLLECTOR_NAME!" if "%SCP_TYPE%"=="PSCP" ( pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/nsconfig/ns.conf" "%DEST%\configs\!DEST_FILENAME!" >nul 2>&1 ) else ( scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/nsconfig/ns.conf" "%DEST%\configs\!DEST_FILENAME!" 2>nul ) if exist "%DEST%\configs\!DEST_FILENAME!" ( echo [OK] !DEST_FILENAME! echo [OK] Downloaded: !DEST_FILENAME! >> "%LOGFILE%" set /a CONFIG_COUNT+=1 ) else ( echo [--] ns.conf not found ) ) ) ) echo Saved configs downloaded: %CONFIG_COUNT% REM ===================================================== REM Download Running Config (ns_running_config.conf) REM Inside collector bundles only REM ===================================================== echo. echo [4/5] Downloading running configurations... echo [4/5] Downloading running configurations... >> "%LOGFILE%" set "RUNNING_COUNT=0" for /f "usebackq delims=" %%C in ("%COLLECTOR_LIST%") do ( set "COLLECTOR_PATH=%%C" REM Skip empty lines and filter noise if not "!COLLECTOR_PATH!"=="" ( echo !COLLECTOR_PATH! | findstr /C:"collector_" >nul if !ERRORLEVEL! EQU 0 ( for %%D in ("!COLLECTOR_PATH!") do set "COLLECTOR_NAME=%%~nxD" echo Checking !COLLECTOR_NAME!... set "DEST_FILENAME=ns_running_config.conf_!COLLECTOR_NAME!" if "%SCP_TYPE%"=="PSCP" ( pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/shell/ns_running_config.conf" "%DEST%\configs\!DEST_FILENAME!" >nul 2>&1 ) else ( scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/shell/ns_running_config.conf" "%DEST%\configs\!DEST_FILENAME!" 2>nul ) if exist "%DEST%\configs\!DEST_FILENAME!" ( echo [OK] !DEST_FILENAME! echo [OK] Downloaded: !DEST_FILENAME! >> "%LOGFILE%" set /a RUNNING_COUNT+=1 ) else ( echo [--] Running config not found ) ) ) ) echo Running configs downloaded: %RUNNING_COUNT% REM ===================================================== REM Download Capture and Media Files REM OUTSIDE collector bundles only (case root level) REM Using pre-fetched file list REM ===================================================== echo. echo [5/5] Downloading files from case directory... echo [5/5] Downloading files from case root... >> "%LOGFILE%" set "CAPTURE_COUNT=0" set "MEDIA_COUNT=0" set "OTHER_COUNT=0" for /f "usebackq delims=" %%F in ("%TEMP_LIST%") do ( set "REMOTE_FILE=%%F" REM Skip empty lines and filter noise if not "!REMOTE_FILE!"=="" ( echo !REMOTE_FILE! | findstr /C:"Keyboard" /C:"prompts" /C:"authentication" >nul if !ERRORLEVEL! NEQ 0 ( for %%G in ("!REMOTE_FILE!") do ( set "FILENAME=%%~nxG" set "FILEEXT=%%~xG" ) if not "!FILENAME!"=="" ( REM Determine file type and destination set "FILE_DEST=" set "FILE_TYPE=" REM Check if capture file echo !FILEEXT! | findstr /I /C:".cap" /C:".pcap" /C:".pcapng" /C:".sslkeys" /C:".keys" /C:".har" >nul if !ERRORLEVEL! EQU 0 ( set "FILE_DEST=%DEST%\captures\!FILENAME!" set "FILE_TYPE=capture" ) REM Check if image file echo !FILEEXT! | findstr /I /C:".jpg" /C:".jpeg" /C:".png" /C:".gif" /C:".bmp" /C:".webp" /C:".tiff" /C:".svg" >nul if !ERRORLEVEL! EQU 0 ( set "FILE_DEST=%DEST%\media\!FILENAME!" set "FILE_TYPE=media" ) REM Check if other file (txt, log, xml, json, csv) echo !FILEEXT! | findstr /I /C:".txt" /C:".log" /C:".xml" /C:".json" /C:".csv" >nul if !ERRORLEVEL! EQU 0 ( set "FILE_DEST=%DEST%\!FILENAME!" set "FILE_TYPE=other" ) REM Download the file if defined FILE_DEST ( echo Downloading: !FILENAME! if "%SCP_TYPE%"=="PSCP" ( pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!REMOTE_FILE!" "!FILE_DEST!" >nul 2>&1 ) else ( scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!REMOTE_FILE!" "!FILE_DEST!" 2>nul ) if exist "!FILE_DEST!" ( echo [OK] !FILENAME! echo [OK] Downloaded !FILE_TYPE!: !FILENAME! >> "%LOGFILE%" if "!FILE_TYPE!"=="capture" set /a CAPTURE_COUNT+=1 if "!FILE_TYPE!"=="media" set /a MEDIA_COUNT+=1 if "!FILE_TYPE!"=="other" set /a OTHER_COUNT+=1 ) ) ) ) ) ) echo. echo Capture files downloaded: %CAPTURE_COUNT% echo Media files downloaded : %MEDIA_COUNT% echo Other files downloaded : %OTHER_COUNT% REM ===================================================== REM Cleanup and Summary REM ===================================================== del "%TEMP_LIST%" 2>nul del "%TEMP_FILTERED%" 2>nul del "%COLLECTOR_LIST%" 2>nul del "%ALL_FILES_LIST%" 2>nul REM Remove empty directories for %%D in (configs captures media) do ( dir /b "%DEST%\%%D" 2>nul | findstr "." >nul || rmdir "%DEST%\%%D" 2>nul ) echo. echo ============================================================ echo ^|^> Download Complete - Summary echo ============================================================ echo. echo FROM COLLECTOR BUNDLES: echo Collector bundles found : %COLLECTOR_COUNT% echo Saved configs ^(ns.conf^) : %CONFIG_COUNT% echo Running configs : %RUNNING_COUNT% echo. echo FROM CASE ROOT DIRECTORY: echo Capture files ^(pcap,har^) : %CAPTURE_COUNT% echo Media files ^(images^) : %MEDIA_COUNT% echo Other files ^(xml,txt^) : %OTHER_COUNT% echo. echo Destination : %DEST% echo Log file : %LOGFILE% echo. REM Write summary to log echo. >> "%LOGFILE%" echo ============================================================ >> "%LOGFILE%" echo SUMMARY >> "%LOGFILE%" echo ============================================================ >> "%LOGFILE%" echo FROM COLLECTOR BUNDLES: >> "%LOGFILE%" echo Collector bundles found : %COLLECTOR_COUNT% >> "%LOGFILE%" echo Saved configs : %CONFIG_COUNT% >> "%LOGFILE%" echo Running configs : %RUNNING_COUNT% >> "%LOGFILE%" echo. >> "%LOGFILE%" echo FROM CASE ROOT DIRECTORY: >> "%LOGFILE%" echo Capture files : %CAPTURE_COUNT% >> "%LOGFILE%" echo Media files : %MEDIA_COUNT% >> "%LOGFILE%" echo Other files : %OTHER_COUNT% >> "%LOGFILE%" echo ============================================================ >> "%LOGFILE%" echo ============================================================ echo. REM Open destination folder choice /C YN /M "Open destination folder now?" if !ERRORLEVEL! EQU 1 explorer "%DEST%" endlocal exit /b 0