PCDU/pcdu.bat

@echo off
setlocal EnableExtensions EnableDelayedExpansion

REM =====================================================
REM   ____                  _       ____ ____  _   _ 
REM  |  _ \ __ _ _ ____   _( )___  / ___|  _ \| | | |
REM  | |_) / _` | '__\ \ / /|// __|| |   | | | | | | |
REM  |  __/ (_| | |   \ V /  \__ \| |___| |_| | |_| |
REM  |_|   \__,_|_|    \_/   |___(_)____|____/ \___/ 
REM                                                   
REM  Parv's Case Download Utility (PCDU)
REM  Downloads case files from analysis server
REM =====================================================

REM Check for pscp.exe (PuTTY SCP) or scp.exe
set "SCP_TOOL="
where pscp.exe >nul 2>&1
if !ERRORLEVEL! EQU 0 (
    set "SCP_TOOL=pscp.exe"
    set "SCP_TYPE=PSCP"
) else (
    where scp.exe >nul 2>&1
    if !ERRORLEVEL! EQU 0 (
        set "SCP_TOOL=scp.exe"
        set "SCP_TYPE=SCP"
    )
)

if "%SCP_TOOL%"=="" (
    echo ERROR: Neither pscp.exe nor scp.exe found in PATH.
    echo.
    echo Please install one of the following:
    echo   - PuTTY ^(includes pscp.exe^) - https://www.putty.org/
    echo   - OpenSSH Client ^(includes scp.exe^) - Built into Windows 10/11
    echo.
    pause
    exit /b 1
)

REM =====================================================
REM Configuration
REM =====================================================
set "REMOTE_SERVER=sjanalysis.citrite.net"
set "REMOTE_BASE_PATH=/upload/ftp"

REM Prompt for case number if not provided
if "%~1"=="" (
    set /p CASENO=Enter Case Number: 
) else (
    set "CASENO=%~1"
)

if "%CASENO%"=="" (
    echo ERROR: Case number cannot be empty.
    exit /b 1
)

REM Prompt for credentials if not provided
if "%~2"=="" (
    set /p USERNAME=Enter SSH Username: 
) else (
    set "USERNAME=%~2"
)

if "%USERNAME%"=="" (
    echo ERROR: Username cannot be empty.
    exit /b 1
)

if "%~3"=="" (
    echo Enter SSH Password for %USERNAME%@%REMOTE_SERVER%:
    set /p PASSWORD=
) else (
    set "PASSWORD=%~3"
)

REM =====================================================
REM Paths
REM =====================================================
set "REMOTE_CASE_PATH=%REMOTE_BASE_PATH%/%CASENO%"
set "DEST=%USERPROFILE%\Downloads\SJLNT\%CASENO%"
set "LOGFILE=%DEST%\download_%CASENO%.log"
set "TEMP_LIST=%TEMP%\caselist_%CASENO%.txt"
set "TEMP_FILTERED=%TEMP%\filtered_%CASENO%.txt"
set "COLLECTOR_LIST=%TEMP%\collectors_%CASENO%.txt"
set "ALL_FILES_LIST=%TEMP%\allfiles_%CASENO%.txt"

echo.
echo  ============================================================
echo   ^|^> Parv's Case Download Utility ^(PCDU^) v1.0
echo  ============================================================
echo   Case Number    : %CASENO%
echo   Remote Server  : %REMOTE_SERVER%
echo   Remote Path    : %REMOTE_CASE_PATH%
echo   Local Dest     : %DEST%
echo   SCP Tool       : %SCP_TYPE%
echo   User           : %USERNAME%
echo  ============================================================
echo.

REM Create destination if missing
if not exist "%DEST%" (
    mkdir "%DEST%" 2>nul || (
        echo ERROR: Failed to create destination folder: %DEST%
        exit /b 1
    )
    echo Created destination folder.
)

REM Create subdirectories for organization
if not exist "%DEST%\configs" mkdir "%DEST%\configs"
if not exist "%DEST%\captures" mkdir "%DEST%\captures"
if not exist "%DEST%\media" mkdir "%DEST%\media"

REM Initialize log file
echo ============================================================ > "%LOGFILE%"
echo  Parv's Case Download Utility ^(PCDU^) - Download Log >> "%LOGFILE%"
echo ============================================================ >> "%LOGFILE%"
echo  Case Number  : %CASENO% >> "%LOGFILE%"
echo  Date/Time    : %DATE% %TIME% >> "%LOGFILE%"
echo  Remote Server: %REMOTE_SERVER% >> "%LOGFILE%"
echo  User         : %USERNAME% >> "%LOGFILE%"
echo ============================================================ >> "%LOGFILE%"
echo. >> "%LOGFILE%"

REM =====================================================
REM Test SSH connection and verify case directory
REM =====================================================
echo [1/5] Testing SSH connection...
echo [1/5] Testing SSH connection... >> "%LOGFILE%"

if "%SCP_TYPE%"=="PSCP" (
    echo y | plink.exe -batch -pw "%PASSWORD%" %USERNAME%@%REMOTE_SERVER% "test -d %REMOTE_CASE_PATH% && echo OK || echo NOTFOUND" 2>nul | findstr /V /C:"Keyboard" /C:"prompts from server" > "%TEMP_LIST%"
) else (
    sshpass -p "%PASSWORD%" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=NUL %USERNAME%@%REMOTE_SERVER% "test -d %REMOTE_CASE_PATH% && echo OK || echo NOTFOUND" > "%TEMP_LIST%" 2>&1
)

if !ERRORLEVEL! NEQ 0 (
    echo ERROR: SSH connection failed. >> "%LOGFILE%"
    type "%TEMP_LIST%" >> "%LOGFILE%"
    echo ERROR: SSH connection failed.
    echo Check credentials and network connectivity.
    echo See log: %LOGFILE%
    del "%TEMP_LIST%" 2>nul
    pause
    exit /b 1
)

findstr /C:"OK" "%TEMP_LIST%" >nul
if !ERRORLEVEL! NEQ 0 (
    echo ERROR: Case directory not found on server: %REMOTE_CASE_PATH% >> "%LOGFILE%"
    echo ERROR: Case directory not found on server.
    echo Path: %REMOTE_CASE_PATH%
    echo Please verify the case number.
    del "%TEMP_LIST%" 2>nul
    pause
    exit /b 1
)

echo       Connection successful.
echo       Connection successful. >> "%LOGFILE%"

REM =====================================================
REM Single SSH call to get all required info
REM Collectors + All files in case root
REM =====================================================
echo.
echo [2/5] Scanning case directory...
echo [2/5] Scanning case directory... >> "%LOGFILE%"

if "%SCP_TYPE%"=="PSCP" (
    plink.exe -batch -pw "%PASSWORD%" %USERNAME%@%REMOTE_SERVER% "echo '===COLLECTORS==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type d -name 'collector_*' 2>/dev/null; echo '===FILES==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type f \( -name '*.cap' -o -name '*.pcap' -o -name '*.pcapng' -o -name '*.sslkeys' -o -name '*.keys' -o -name '*.har' -o -name '*.xml' -o -name '*.jpg' -o -name '*.jpeg' -o -name '*.png' -o -name '*.gif' -o -name '*.bmp' -o -name '*.webp' -o -name '*.tiff' -o -name '*.svg' -o -name '*.txt' -o -name '*.log' -o -name '*.csv' -o -name '*.json' \) 2>/dev/null" 2>nul | findstr /V /C:"Keyboard" /C:"prompts from server" > "%ALL_FILES_LIST%"
) else (
    sshpass -p "%PASSWORD%" ssh -o StrictHostKeyChecking=no %USERNAME%@%REMOTE_SERVER% "echo '===COLLECTORS==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type d -name 'collector_*' 2>/dev/null; echo '===FILES==='; find %REMOTE_CASE_PATH% -maxdepth 1 -type f \( -name '*.cap' -o -name '*.pcap' -o -name '*.pcapng' -o -name '*.sslkeys' -o -name '*.keys' -o -name '*.har' -o -name '*.xml' -o -name '*.jpg' -o -name '*.jpeg' -o -name '*.png' -o -name '*.gif' -o -name '*.bmp' -o -name '*.webp' -o -name '*.tiff' -o -name '*.svg' -o -name '*.txt' -o -name '*.log' -o -name '*.csv' -o -name '*.json' \) 2>/dev/null" > "%ALL_FILES_LIST%"
)

REM Parse collectors from combined output
set "IN_COLLECTORS=0"
set "IN_FILES=0"
echo. > "%COLLECTOR_LIST%"
echo. > "%TEMP_LIST%"

for /f "usebackq delims=" %%A in ("%ALL_FILES_LIST%") do (
    set "LINE=%%A"
    
    REM Check for section markers
    echo !LINE! | findstr /C:"===COLLECTORS===" >nul
    if !ERRORLEVEL! EQU 0 (
        set "IN_COLLECTORS=1"
        set "IN_FILES=0"
    ) else (
        echo !LINE! | findstr /C:"===FILES===" >nul
        if !ERRORLEVEL! EQU 0 (
            set "IN_COLLECTORS=0"
            set "IN_FILES=1"
        ) else (
            REM Skip empty lines and filter noise
            if not "!LINE!"=="" (
                echo !LINE! | findstr /C:"Keyboard" /C:"prompts" /C:"authentication" >nul
                if !ERRORLEVEL! NEQ 0 (
                    if !IN_COLLECTORS! EQU 1 (
                        echo !LINE!>> "%COLLECTOR_LIST%"
                    )
                    if !IN_FILES! EQU 1 (
                        echo !LINE!>> "%TEMP_LIST%"
                    )
                )
            )
        )
    )
)

REM Count collectors
set "COLLECTOR_COUNT=0"
for /f "usebackq delims=" %%A in ("%COLLECTOR_LIST%") do (
    set "LINE=%%A"
    if not "!LINE!"=="" (
        echo !LINE! | findstr /C:"collector_" >nul
        if !ERRORLEVEL! EQU 0 (
            set /a COLLECTOR_COUNT+=1
            for %%B in ("!LINE!") do echo       Found: %%~nxB
            echo       Found collector: !LINE! >> "%LOGFILE%"
        )
    )
)

if %COLLECTOR_COUNT% EQU 0 (
    echo       No collector bundles found.
    echo       No collector bundles found. >> "%LOGFILE%"
) else (
    echo       Total collectors found: %COLLECTOR_COUNT%
)

REM =====================================================
REM Download Saved Config (ns.conf from nsconfig folder)
REM Inside collector bundles only
REM =====================================================
echo.
echo [3/5] Downloading saved configurations ^(ns.conf^)...
echo [3/5] Downloading saved configurations... >> "%LOGFILE%"

set "CONFIG_COUNT=0"
for /f "usebackq delims=" %%C in ("%COLLECTOR_LIST%") do (
    set "COLLECTOR_PATH=%%C"
    
    REM Skip empty lines and filter noise
    if not "!COLLECTOR_PATH!"=="" (
        echo !COLLECTOR_PATH! | findstr /C:"collector_" >nul
        if !ERRORLEVEL! EQU 0 (
            for %%D in ("!COLLECTOR_PATH!") do set "COLLECTOR_NAME=%%~nxD"
            
            echo       Checking !COLLECTOR_NAME!...
            
            set "DEST_FILENAME=ns.conf_!COLLECTOR_NAME!"
            
            if "%SCP_TYPE%"=="PSCP" (
                pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/nsconfig/ns.conf" "%DEST%\configs\!DEST_FILENAME!" >nul 2>&1
            ) else (
                scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/nsconfig/ns.conf" "%DEST%\configs\!DEST_FILENAME!" 2>nul
            )
            
            if exist "%DEST%\configs\!DEST_FILENAME!" (
                echo         [OK] !DEST_FILENAME!
                echo         [OK] Downloaded: !DEST_FILENAME! >> "%LOGFILE%"
                set /a CONFIG_COUNT+=1
            ) else (
                echo         [--] ns.conf not found
            )
        )
    )
)

echo       Saved configs downloaded: %CONFIG_COUNT%

REM =====================================================
REM Download Running Config (ns_running_config.conf)
REM Inside collector bundles only
REM =====================================================
echo.
echo [4/5] Downloading running configurations...
echo [4/5] Downloading running configurations... >> "%LOGFILE%"

set "RUNNING_COUNT=0"
for /f "usebackq delims=" %%C in ("%COLLECTOR_LIST%") do (
    set "COLLECTOR_PATH=%%C"
    
    REM Skip empty lines and filter noise
    if not "!COLLECTOR_PATH!"=="" (
        echo !COLLECTOR_PATH! | findstr /C:"collector_" >nul
        if !ERRORLEVEL! EQU 0 (
            for %%D in ("!COLLECTOR_PATH!") do set "COLLECTOR_NAME=%%~nxD"
            
            echo       Checking !COLLECTOR_NAME!...
            
            set "DEST_FILENAME=ns_running_config.conf_!COLLECTOR_NAME!"
            
            if "%SCP_TYPE%"=="PSCP" (
                pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/shell/ns_running_config.conf" "%DEST%\configs\!DEST_FILENAME!" >nul 2>&1
            ) else (
                scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!COLLECTOR_PATH!/shell/ns_running_config.conf" "%DEST%\configs\!DEST_FILENAME!" 2>nul
            )
            
            if exist "%DEST%\configs\!DEST_FILENAME!" (
                echo         [OK] !DEST_FILENAME!
                echo         [OK] Downloaded: !DEST_FILENAME! >> "%LOGFILE%"
                set /a RUNNING_COUNT+=1
            ) else (
                echo         [--] Running config not found
            )
        )
    )
)

echo       Running configs downloaded: %RUNNING_COUNT%

REM =====================================================
REM Download Capture and Media Files
REM OUTSIDE collector bundles only (case root level)
REM Using pre-fetched file list
REM =====================================================
echo.
echo [5/5] Downloading files from case directory...
echo [5/5] Downloading files from case root... >> "%LOGFILE%"

set "CAPTURE_COUNT=0"
set "MEDIA_COUNT=0"
set "OTHER_COUNT=0"

for /f "usebackq delims=" %%F in ("%TEMP_LIST%") do (
    set "REMOTE_FILE=%%F"
    
    REM Skip empty lines and filter noise
    if not "!REMOTE_FILE!"=="" (
        echo !REMOTE_FILE! | findstr /C:"Keyboard" /C:"prompts" /C:"authentication" >nul
        if !ERRORLEVEL! NEQ 0 (
            for %%G in ("!REMOTE_FILE!") do (
                set "FILENAME=%%~nxG"
                set "FILEEXT=%%~xG"
            )
            
            if not "!FILENAME!"=="" (
                REM Determine file type and destination
                set "FILE_DEST="
                set "FILE_TYPE="
                
                REM Check if capture file
                echo !FILEEXT! | findstr /I /C:".cap" /C:".pcap" /C:".pcapng" /C:".sslkeys" /C:".keys" /C:".har" >nul
                if !ERRORLEVEL! EQU 0 (
                    set "FILE_DEST=%DEST%\captures\!FILENAME!"
                    set "FILE_TYPE=capture"
                )
                
                REM Check if image file
                echo !FILEEXT! | findstr /I /C:".jpg" /C:".jpeg" /C:".png" /C:".gif" /C:".bmp" /C:".webp" /C:".tiff" /C:".svg" >nul
                if !ERRORLEVEL! EQU 0 (
                    set "FILE_DEST=%DEST%\media\!FILENAME!"
                    set "FILE_TYPE=media"
                )
                
                REM Check if other file (txt, log, xml, json, csv)
                echo !FILEEXT! | findstr /I /C:".txt" /C:".log" /C:".xml" /C:".json" /C:".csv" >nul
                if !ERRORLEVEL! EQU 0 (
                    set "FILE_DEST=%DEST%\!FILENAME!"
                    set "FILE_TYPE=other"
                )
                
                REM Download the file
                if defined FILE_DEST (
                    echo       Downloading: !FILENAME!
                    
                    if "%SCP_TYPE%"=="PSCP" (
                        pscp.exe -batch -pw "%PASSWORD%" -q "%USERNAME%@%REMOTE_SERVER%:!REMOTE_FILE!" "!FILE_DEST!" >nul 2>&1
                    ) else (
                        scp -o StrictHostKeyChecking=no -q "%USERNAME%@%REMOTE_SERVER%:!REMOTE_FILE!" "!FILE_DEST!" 2>nul
                    )
                    
                    if exist "!FILE_DEST!" (
                        echo         [OK] !FILENAME!
                        echo         [OK] Downloaded !FILE_TYPE!: !FILENAME! >> "%LOGFILE%"
                        
                        if "!FILE_TYPE!"=="capture" set /a CAPTURE_COUNT+=1
                        if "!FILE_TYPE!"=="media" set /a MEDIA_COUNT+=1
                        if "!FILE_TYPE!"=="other" set /a OTHER_COUNT+=1
                    )
                )
            )
        )
    )
)

echo.
echo       Capture files downloaded: %CAPTURE_COUNT%
echo       Media files downloaded  : %MEDIA_COUNT%
echo       Other files downloaded  : %OTHER_COUNT%

REM =====================================================
REM Cleanup and Summary
REM =====================================================
del "%TEMP_LIST%" 2>nul
del "%TEMP_FILTERED%" 2>nul
del "%COLLECTOR_LIST%" 2>nul
del "%ALL_FILES_LIST%" 2>nul

REM Remove empty directories
for %%D in (configs captures media) do (
    dir /b "%DEST%\%%D" 2>nul | findstr "." >nul || rmdir "%DEST%\%%D" 2>nul
)

echo.
echo  ============================================================
echo   ^|^> Download Complete - Summary
echo  ============================================================
echo.
echo   FROM COLLECTOR BUNDLES:
echo     Collector bundles found  : %COLLECTOR_COUNT%
echo     Saved configs ^(ns.conf^)  : %CONFIG_COUNT%
echo     Running configs          : %RUNNING_COUNT%
echo.
echo   FROM CASE ROOT DIRECTORY:
echo     Capture files ^(pcap,har^) : %CAPTURE_COUNT%
echo     Media files ^(images^)     : %MEDIA_COUNT%
echo     Other files ^(xml,txt^)    : %OTHER_COUNT%
echo.
echo   Destination : %DEST%
echo   Log file    : %LOGFILE%
echo.

REM Write summary to log
echo. >> "%LOGFILE%"
echo ============================================================ >> "%LOGFILE%"
echo  SUMMARY >> "%LOGFILE%"
echo ============================================================ >> "%LOGFILE%"
echo  FROM COLLECTOR BUNDLES: >> "%LOGFILE%"
echo    Collector bundles found  : %COLLECTOR_COUNT% >> "%LOGFILE%"
echo    Saved configs            : %CONFIG_COUNT% >> "%LOGFILE%"
echo    Running configs          : %RUNNING_COUNT% >> "%LOGFILE%"
echo. >> "%LOGFILE%"
echo  FROM CASE ROOT DIRECTORY: >> "%LOGFILE%"
echo    Capture files            : %CAPTURE_COUNT% >> "%LOGFILE%"
echo    Media files              : %MEDIA_COUNT% >> "%LOGFILE%"
echo    Other files              : %OTHER_COUNT% >> "%LOGFILE%"
echo ============================================================ >> "%LOGFILE%"

echo  ============================================================
echo.

REM Open destination folder
choice /C YN /M "Open destination folder now?"
if !ERRORLEVEL! EQU 1 explorer "%DEST%"

endlocal
exit /b 0