Automating Your Monday: How PowerShell Can Save Your Sanity.

Looking back, I think that my biggest challenge in a large, diverse, corporation in the collections phase of the EDRM life-cycle are networked or ‘shared drives’. I don’t know what it was like on your block growing up but on mine, network drives could mean a great many things, referencing a great many places. From the locations assigned via Group Policy Object (GPO) depending on your job and location to the ones shared by co-workers to the folders entirely created on their own, it can be a nightmare!

Referring specifically to mapped drives on a custodian’s computer in their user profile, how do we find this data? There is a janky, back door way using RegEx where you can connect to a networked computer. It’s slow, it’s sloppy, but it works. You can use various PowerShell commands like ‘Get-WMIobject’ but it requires permissions that should very well be locked down by GPO. ‘Enable-PSremoting’ an using the always useful PSexec module is always an option but leaves potential vulnerabilities behind. 

Let’s look at another way, via the place a custodian would go to to access their networked drive. Yes, Windows Explorer, I said it and I meant it! I’ve already provided a hint above that your networked drives are saved as registry entries. It’s a hot mess and you must be able to translate Active Directory (AD) SSID strings into something remotely usable as that is how they are stored.

 Using the very underestimated and often ignored ability of Windows Explorer, we can side step excessive permissions and opening security loopholes by contacting any open Windows Explorer service and asking (very nicely) to help us out with the mapped drives of the user. I will admit, this clever piece of script is not my own but some kind, random, stranger from the depths on the internet. I found it on a forum discussing this very topic not referenced and not linked to its source. It utilizes Window Explorers connection to RegEx so connects you with the user (your custodian) and the mapped drives associated with their user profile.

This location of stored drives is often enough to fulfill the requirements of the Federal Rules of Civil Procedure (FRCP) "neither unreasonable nor unduly burdensome or expensive, considering the needs of the case, prior discovery in the case, the amount in controversy, and the importance of the issues at stake in the action.”. Exceptions to this would be any case of intellectual property (IP) theft or higher stakes cases that are going to exceed a level of cost as determined by your legal team.

To use this, simply open the script to an existing PowerShell session and hit play. From there, type “Get-MappedDrives” followed by the name of the computer you are trying to access. Congratulations, you just saved yourself 20-30 minutes…per custodian.