-
Notifications
You must be signed in to change notification settings - Fork 14
/
Get-LyncArchive.ps1
118 lines (79 loc) · 4.17 KB
/
Get-LyncArchive.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<#
.SYNOPSIS
Get-LyncArchives is used to get conversation history for a user and decode the base64 encoded conversation if wanted.
This cmdlet does not accept any switches and will prompt the runner for input.
User will be prompted for a user to look up, a user they had a conversation with, a start and end date.
Lync Archive folder will be saved to the users desktop.
Rather than prompting for a server name you will need to enter server information into the scripts defined fields
.DESCRIPTION
This cmdlet is used to get conversation history for a user and decode the base64 encoded conversation.
This should save the time of looking through each file and than decoding conversations that might not be what is looked for.
Has been tested with Lync 2013 and Lync 2010
.NOTES
Author: Robert H. Osborne
Alias: tobor
Contact: [email protected]
.LINK
https://osbornepro.com
https://writeups.osbornepro.com
https://btpssecpack.osbornepro.com
https://github.com/tobor88
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.linkedin.com/in/roberthosborne/
https://www.credly.com/users/roberthosborne/badges
https://www.hackthebox.eu/profile/52286
.EXAMPLE
Get-LyncArchives
#>
Function Get-LyncArchives {
[CmdletBinding()]
param()
BEGIN {
$ArchiveDatabase = "ArchivingDatabase:lyncArchiveServer.osbornepro.com" ##########@@@## DEFINE ME ################
$CreatedArchiveName = "lyncArchiveServer.osbornepro.com_SqlDatabaseInstanceName" ##########@@@## DEFINE ME ################
$Person = Read-Host "Who is the person you want to view the conversation history of? Example: sip:[email protected]"
$SavePath = "$env:USERPROFILE\Desktop"
$StartDate = Read-Host "What should the start date of your search be? Example: 5/1/2019"
$EndDate = Read-Host "What should the end date of your search be? Example: 5/10/2019"
Write-Output "[*] Reports will be saved to your desktop..."
} # End BEGIN
PROCESS {
Try {
Export-CsArchivingData -Identity $ArchiveDatabase -StartDate $StartDate -EndDate $EndDate -OutputFolder $SavePath -UserUri $Person -Verbose
} # End Try
Catch {
Write-Warning "An error occured. Make sure you entered the sip address correctly."
} # End Catch
$TheList = Get-ChildItem -Path "$SavePath\$CreatedArchiveName" -Recurse | Where-Object -Property Name -like "*.eml" | Select-Object -Property Name,DirectoryName
$TheList.Name
Write-Host "Above is a list of EML files. These contain conversation histories for the user you selected. `n$person" -ForegroundColor Yellow
$OtherParty = Read-Host "Enter the email address of the person $person had a conversation with. Example: [email protected]"
ForEach ($Convo in $TheList) {
$ConvoDir = $Convo.DirectoryName
$ConvoFileName = $Convo.Name
$ConvoFullPathName = "$ConvoDir\$ConvoFileName"
$ContainsWord = Get-Content -Path $ConvoFullPathName | ForEach-Object {$_ -contains "To: $OtherParty"}
If($ContainsWord -eq "True") {
[array]$FileList += $ConvoFullPathName
Clear-Variable ContainsWord
} # End If
Else {
Clear-Variable ContainsWord
} # End Else
} # End Foreach
} # End PROCESS
END {
ForEach ($cFile in $FileList) {
$TotalLines = (Get-Content $cFile).Length
[int]$BaseLines = $TotalLines - 14
$BaseEncoded = ((Get-Content -Path $cFile | Select-Object -Last $BaseLines).TrimEnd("--MIME_Boundary-- ")) | Where-Object {$_ -ne ""}
ForEach ($LineSpace in $BaseEncoded) {
$Base64 += $LineSpace.TrimEnd() | Where-Object {$_ -ne ""}
} # End ForEach
$PrintBase = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))
$PrintBase
Clear-Variable base64,n,PrintBase
} # End ForEach
} # End END
} # End Function