UPCOPY

PURPOSE   OPERATION   OPTIONS   COMMAND LINES   Backup Batch Files   RELATED PROGRAMS


Last update: March, 22, 2022
Author: Dan Mares, dmares @ dmares . com
Portions Copyright © 1998-2023 by Dan Mares
Phone:     678-427-3275

One liner: True forensic file copy.

The version and hash value shown here are correct. However, since the program is constantly being updated, the version you download may be newer, and the web hash value may not have been updated.
ver: 24.03.01.13.41
md5: CFE6C3B2F26E4FF464A93FCD546249B5
NOTE: this version may be older than the updated items listed and options below. Call for most current version.

FYI: One agency (can't release the name for security purposes) has tested this program against ISO standards, and passed.

RSYNC Windows alternative:
UPCOPY is used to perform forensic copy of files from pointA to pointB. It can be used to "sync" directories on a Windows machine in order to maintain correct evidence and other file integrity and paths.

Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If this is the case, please check the exe with other reliable virus checkers, as this mis-identification is common.

If you are using a 64bit version, be aware that many of the newer more fine tuned options may not be available.

Sample Maresware Batches  an executable with data that demonstrates various Maresware software. Download and run the appropriate _06_xx, or _17_xx batch for upcopy demo.

Last Updated Items:
(03/01/2024: added --delay[=xx] option to delay start while allowing view of expected file sizes to copy.
(08/24/2022: fixed some minor problems relating to the processing of the -F filetype file.
(03/22/2022: added an option !64 to logfile list of dirs and file counts.
(04-01-2023: took out an inadvertant debug pause)
(12-01-2023: version: 20.12.01..: added the --RET=xx retry option when using the -H hashlog options)
(11-29-2023: fixed small operational challenge when using -S or --dirs option.)
(11-17-2023: modified the operation of -H when mismatches are found.)
(10-17-2023: added --MILLI option to include milliseconds in log files.)
(04-04-2023: added --exist option to the -e option. Copy only pre-existing files)
(06-18-2019: added additional ADS processing options: --ADSEXTRACT, --ADSPARENT, --ADSCHILD)
(06-06-2019: updated the -R reset filetimes options, see options section)
(05-25-2019: updated the hashing to make sure it included alternate data streams in the hash.)
(04-04-2019: program Ver. 19.04.04 and later. added --ADSONLY option to ONLY copy ADS files and their parents.)
(03-27-2019: added --ADSEXTRACT option to cause Alternate Data Stream (ADS) files to be extracted as "normal" files)
(03-15-2019: added --UNICODE=filename option to have a Unicode output file)

Get upcopy.exe     THIS IS A COMMAND LINE PROGRAM


Suggested Reading
copy_that   Must read article on forensic copying software.
zip_it   After all, isn't zipping/unzipping a fancy way to copy from A to B.

(64 Bit version is available. However, most of the options may not have been fully converted. If you find one that is useful but not available, let me know.
As of 2003, the 16 bit versions are no longer being supported, updated or maintained.

NOTE: These (hash, diskcat, and upcopy) and other command line programs WILL process files with long filenames ( > 255 characters) which is seen more and more in modern file systems. If you are using other hashing software, you should test its capability to process long filenames. (I have found a significant number of popular stand alone Forensic Hashing programs have not been updated sufficiently to handle long filenames or true unicode 16bit characters). I have tested a number of command line and GUI hashing and Forensic file copying programs. Some cannot process long filenames at all. Others can only find and process a single file at a time. Not very useful in forensics. And others may be able to find a file thru the GUI, but can't do a recursion.

So i urge anyone who is planning on using a hashing or forensic copy program on current filesystem, please check the capability of your program on the filesystem you intend on using it on. I have a file containing approximately 82 files with longfilenames. You can use 7-zip file to extract these files and then test your software to see if it finds it. After you download the file, you must unzip the .zip file, then use 7-zip to unzip/extract the long filename files. The file was .zipped to allow for automatic download of a zip file, as most browsers don't know what to do with a .7z file extension, and the 7z file was created because I have had little to no luck using other file zipping programs to properly store or restore a long filename path.

After you successfully un-7zip the file structure, you can use the 64 bit diskcat.exe diskcat program to confirm that there are long filenames in the structure. Use the option --showlong, this should produce a listing of about 82 files with path/filenames greater than 255 characters.

Upcopy will display a message at the beginning of the run which indicates whether the last access date update is turned on.
Filetime Options RESET is ON. ALL filetimes (SOURCE and DESTINATION) will be reset to original values
The last access date update can be turned on or off using an environment variable, an ini file, or a command line option. See options below.

This is a command line program.
MUST be run within a command window as administrator.

The program does not copy open/locked files like .ost files. It does not call for a shadow copy to be set in order to copy locked files. To copy locked files, the user must create a shadow copy, mount the drive, and then copy the appropriate file.

This version also can copy files from a SHADOW COPY location if used under the proper server environments. (see --SHADOW_COPY, in options section).

The version of upcopy after March 2019 will also process unicode (16bit) filenames properly. However, it will not display the unicode name in the screen output. You must use either a - -logfile option or a - -UNICODE= option to create "text" output files which contain the true unicode filename. Then in order to view the unicode name, you must have an editor or other program which can display the unicode characters. So for our European users, you know what I'm talking about. Have fun. This UNICODE EDITOR  seems to do a good job on unicode text. However, it costs a few bucks. Also see the - -logfile=logname:64= or - -UNICODE option below regarding UNICODE filename logs.

NOTE: I have tested a significant number of stand alone "forensic" copy programs and only upcopy seems to perform the hashes on the data streams. However, some of the suites can copy the data streams, but you will not always have a suite available. Especially at a suspects site.


top

PURPOSE

The primary purpose of this program is to provide you with a reliable investigative and forensically sound tree/file copy program.

It is also an excellent file copy update for those of you who wish to perform routine file updates of your own system. Set it in a batch file, and schedule routine runs to update your backup drive.

The upcopy program is designed to read a source and destination directory and copy ALL or only newer files from the source to destination. UPCOPY operates similar to xcopy or robocopy except with better e-discovery/forensic options. Because of its ability to copy only newer files it is an excellent "update" program. Which can be used to copy or update files to a backup location. Use it on your own files, including evidence files as an excellent directory "syncing" program.

Restated: Its overall objective is to perform a forensic copy (or update) files from one directory to another. An excellent use is to update certain files from a hard disk to a backup/evidentiary medium or visa versa. Only changed/updated or new files are copied. This reduces the amount of time needed to create and/or sync evidence directories.

Upcopy supports the \\UNC\?\ and Unicode Microsoft path/name max length of 32767 characters.

The user can also provide the program a list of files to copy to a new destination. This option (-S) is especially useful when doing some sort of update and you have a known list of files that need to be copied, and a destination root path for all of them to go to. Those in e-discovery will also find this valuable, when a list of files is obtained (by whatever forensic program you choose), and you must copy them to a drive for delivery to a client. Those using the Hashkeeper program will find this especially useful.

For forensic purposes, it can be used to forensically copy files or folders from a live system to a destination drive. This is especially useful when the corporate owners or users can't or won't give permission to shut down their running systems. Most often used with servers. Because it is stand alone, it doesn't require "installation" and thus can be run from external media.

It can be used to copy files only newer than certain number of days old, or all newer files regardless of age. It can be set to only copy those files that already exist, thus not adding superfluous files to the destination.

Also, when dealing with servers, and especially EDB exchange data bases. The user should consider creating a "SHADOW FILE COPY". This is a special process by which the OS properly captures the state of an open file (.EDB or other), and places it in a secure location on the drive. It can then be copied with the unicode version of the software and the user is assured of an uncorrupted data file. (see the --SHADOW option below).

Alternate data stream processing is also one of its capabilities. Try it, you'll like it.

Additional capabilities are added as necessary:

One cabaility is to provide a list of top level folders/paths (--dirs=filename) from which to copy source files. This allows the user to specify specific folders (ie: \documents and setting, \other_folders) and not traverse the entire file system.

Another capability is for the user to provide a list (--bypass=filename) of top level FOLDERS which are to be BYPASSED. So you would start at the top of the root, but bypass \docs and settings and bypass \windows, and others. Only folder names are allowed to be bypassed. If you include a file, the program errors off.

UNC paths such as \\cpu-00\x\progs (where x is the drive letter) are acceptable to use as the source (-p option). However, they will not work if using them within a -s source_file text file. And, as expected, the logged on user MUST have proper credentials on the UNC path drive to perform the operation.
Also: when using \\UNC\paths in the destination you must include the -i option. This prevents attempts to find free space on the destination, which with the UNC will fail.

The logging options have been changed significantly (--logfile, --error, .ini). All original logging options have been replaced with more robust options. However, the -1 (one) logging option still creates a basic log file, but without lists of filenames checked, copied or passed.

During the copy process the file dates and times of the original file are maintained in the destination file attributes. However, without the -R (Reset) option, the original access time at the source file is adjusted accordingly. Users should be well aware of the registry setting on a suspect machine as to whether the registry key which allows last access date update is set of not. On a Win7 or higher OS, last access is usually turned off by default. But security conscious persons may have the last access turned on which may in some cases corrupt your evidence trail.

Another capability is that cccassionally the investigator has a tree structure of many files and many sub-directories. The need here is to take all the files (or just specific named files, ie: -f *.doc) from the entire tree structure, and copy them to a single level directory. You could do it one at a time, but the added --flatten option will perform this task. It causes upcopy to copy all the specified files in the source path, to a SINGLE top level directory, and does NOT create sub-directories as is experienced in the normal usage. The --flatten option can also specify how many files are to be in a top level directory. So if you have a tremendous amount of files, you can, if necessary only copy X number per destination folder.

In addition, with the --flatten option, there is always a chance that files with similar names located in different source directories will exist. The --flatten does not differentiate in filenames, and thus if a similar filename is located as a source, it will NOT overwrite the current destination. This is the primary design of upcopy, to NOT overwrite an existing file. However, in some cases the user will want ALL the source files to be copied to the destination, even though they may have duplicate filenames. In this case, include the --nodupe option, along with the --flatten option. This --nodupe option, renames a duplicate destination filename by adding a unique index sequence. See the options section for more details. The --nodupe option ALSO by default adds the -A (all files) option.

The --bypass=[directory name(s)] is especially useful to bypass specific directories. This is helpful when copying files for discovery from a work drive. You may wish to eliminate unecessary directories in the delivery process.

The - -logfile=logname:64 or the - -UNICODE=unicodelog options will produce "text" output files containing the true 16bit filenames in unicode format. The --UNICODE= option MUST be used with the --logfile=logname:64 for both to work.


top

OPERATION

Source file type(s) (i.e. *.c) if necessary are provided by the user. The default is to copy all files (*.*)

The program locates all files in the source directory meeting the file specifications. If no source file types are provided, *.* is assumed. Source file types can contain wildcards, multiple file specs, or be blank for all (*.*) A source directory must be specified, but source file types defaults to (*.*).

If the source file list (-S) is used, then the Source files are taken to be all the files listed in the provided list. This list is a text file containing one filename (including full path) per line.

If the filetypes file (-F textfile) is used, then the filetypes found in the textfile will be used as if they were input individually using the -f filetype option. A format of xxx.yyy or *.yyy is suggested. A simple filetype of jpg without a *. will NOT work.(4/2009)

When the program starts, the destination drive or directory is examined. If using the default of all files, the destination is searched for a file of similar name. If one is found, the parameters (options selected) are compared from the source file against the destination file. If the destination needs to be updated, it is. I.e. when the same file is found on the destination as in the source directory, and the destination file is older than the source file, the newer source file is copied to the destination.

If there is no destination file of the correct name, then the source file is copied to the destination. (-e overrides this operation to copy ONLY existing files).

The destination MUST be a directory or drive. If it is only a drive (-d A:) All subdirectories under the source are copied to appropriately created subdirectories on the destination.

Note:

If you are using only a drive as destination, make certain the default directory on that drive is the top level directory to start writing to. I.e. if the default on A: was A: \tmp, when the operation started, then all the copying would begin at A:\tmp and continue to create subdirectories below. If you wanted to start at A:\, then the default directory on A: should be root.

There is no check to see if the destination file is read-only. Destination Read-only files are NOT written over. (To force an overwrite of protected destination files, use the -O option. The -O option is not documented on the programs help screen.)

Various options exist to allow the user to “program” the file selection process, by file name, size, age, whether the destination exists or not and other options.

Upcopy is unicode compliant, meaning it will copy long file name files, and any file that meets the traditional long filename parameters.

During the copy process the file dates and times of the original file are maintained in the destination file attributes. However, without the -R (Reset) option, the original access time is adjusted accordingly.

The program pauses every 200 Megabytes and shows an approximate time to completion. This time can vary greatly depending on the number of files remaining, and the transfew speed of the network (if perfoming network copy). The more small files to process, the more I/O time is taken up and causes longer copy times. Larger files are copied faster than a lot of small files.


Program Abnormal Abort added 2/2022 to the -1 logfile option

It has been reported, especially when working across porely run network, that if the network has an error, the program may abort without any notification. Thus the user has no way of knowing if/how/when a problem occured which may have caused the program to abnormally finish/abort. What I have done, (march 2022 version and newer) is that when the -1 logfile option is instituted, an additional file is created. If the logfile option names a file: -1 log_run, then a secondary file is created called log_runX. It has an X appended to the logfile name. During the program operation this additional logfileX is maintained along with the requested logfile. If the program is aborted abnormally, the user will see this additional logfile, and its contents roughly indicate that if you are reading this, a problem may have occured. If the program finishes normally, that additional X logfile is removed, and the user does not have it available. So, bottom line, if you initiate a -1 logfile option, and you see an additional logfileX, then the program may have abnormally aborted. Check your network logs.




Copy Errors - ERROR FILE, updated/changed 2/2008

In some instances, especially when processing files using the -S (source list) option, you may find that there are some files that are NOT COPIED. In most instances this is because the file name has been generated by a program that writes UNICODE file names into a traditional text file. Thus loosing a significant amount of filename characters. These files are most often found in the internet cache area, and are usually .url type files. In most cases, they are of no consequence. However, they cannot be copied, because the text file which the program is reading as sources, does not contain the true unicode filename, and thus cannot find the file.

In any case, there are files which cannot be copied. Sometimes, it is purely a windows permission problem, which the user must overcome.

The purpose of the -E error file (replaced Feb 2008, by the --error=16 option), is to provide the user with a list of files which were not copied, and provide the user with information which may be useful in performing some other manual review or copy process. In cases where it is merely a system permission problem, once the permissions have been properly set, the files can be copied. For this reason, if the -E option is chosen, another file with the same root name as the error file, and has an extension of .lst. This file, has as its format, one that can be passed to the -S option, once the problem has been solved, and another recovery run is needed. In effect, this new file, has a clean listing of all those not copied.


ALTERNATE DATA STREAMS
NTFS Alternate Data Streams can hide much information. They can contain executables, virus's, a hash and date record of the "parent" file (see the --ADDADS option of the hash.exe program), and in some cases the URL from which a photo was downloaded. There are very few programs (outside extensible suites) which can find alternate data streams, no less process them. The upcopy program with proper options (--ADSPARENT, --ADSEXTRACT, --ADSCHILD) will perform a number of operations on the alternate data streams which may prove extremely useful in forensic exams.


Special -S copy list option
The -S file_list option is designed when you have identified via some other method, (ie: run diskcat to identify specific files you wish to copy from the source/suspect to a destination/analysis location) and wish to provide the program with this list. As described in the options section, the list must be a text list of full path/filename, and that path/filename must be either: the only item for each line, or be pipe (|) delimited as the first field.
Also, the -p option is really not necessary, but in order to not have an unusual amount of unnecessary "junk" shown to the screen, it is suggested you use the -p pointing to a directory which doesn't exist. This way, the program will not be able to find any source files in this non-existant location. ie: -p c:\tmp_phantom, where c:\tmp_phantom is non existant. If you do not use the -p option, then a lot of eroneous information is placed to the screen.


top

COMMAND LINES

C:>upcopy [source_directory] [destination_directory] [-[options]]

VERY IMPORTANT NOTE: The program can be run with only the source and destination directory on the command line (upcopy c: d:) without using any options. However, IF the destination is used without an option, the source item on the command line must also be present. This is because the source and destination (without options) are positionally specific on the command line. This means the source MUST occur before the destination. However the reverse is not true. You can list the source without an option, and pick up with the -d and other options. This capability of running without options is for quick operation (and for lazy people like myself).

C:>upcopy   C:\tmp   D:\tmp\old
/* copy the tree structure from C:\tmp to a new directory D:\tmp\old   */

C:>upcopy   -p C:\tmp   -d d:\tmp\old
/* same as the first one, except this one makes use of the explicit options   */

C:>upcopy   -p C:\tmp   -d d:\tmp\old --logfile=logs:64
/* same as prior but adds a logfile which contains the unicode name(s) of the files copied.
Add other binary numbers 1:2:4:8:16:32, to the 64 --logfile=logs:68 to add additional output logs.*/

C:>upcopy   -p C:\tmp   -d d:\tmp\old --logfile=logs:64 --UNICODE=unilog
/* same as prior, but also adds a file unilog which contains a lot more information that is effectively a combined logfile.*/

C:>upcopy  -p c:\tmp   -d d:\tmp\old   -f *.doc
/* copy only the *.doc files*/

C:>upcopy -p c:\tmp   -d d:\tmp\old   -f *.doc *.ppt
/* copy *.doc and *.ppt files  */

C:>upcopy -p c:\tmp   -d d:\tmp\old   --logfile=c:\path\logfilename!255
/* 2022: create ALL available logfiles named logfilename, in path. including the unicode log */

C:>upcopy   -d d:\work_dir   -S listfile.nam
/* copy all the files identified in the text file listfile.nam to the d:\work_dir tree */

C:>upcopy   -p . -d d:\work_dir -f *.doc --flatten
/* copy all the .doc files found in the current tree, and copy them all the the d:\work_dir. NOT creating any subdirectories. Use the flatten when you want/need to reduce the number of subdirectories in the tree. Or when you have LFN folders, that you wish to remove the long tree/directory names. But the original tree list is lost. */

C:>upcopy   -p . -d d:\work_dir -f *.doc --flatten=1000
/* copy all the .doc files found in the current tree, and copy them all the the d:\work_dir. Placing a max of 1000 files per output directory, and creating a single sub-directory for each additional 1000 files as necessary. Sub-directories are named 0001, 0002, etc as needed. */

C:>upcopy   -p . -d d:\work_dir -f *.doc --flatten=1000 --nodup
/* copy all the .doc files found in the current tree, and copy ALL of them all the the d:\work_dir. Placing a max of 1000 files per output directory, and creating a single sub-directory for each additional 1000 files as necessary. Sub-directories are named 0001, 0002, etc as needed, and duplicate files have an index [xxxx] added to the name. */


-S STUFF
C:>upcopy -p   c:\tmp_phantom   -d d:\analysis_dir   -S d:\case\file_list.txt
/* basic command, where the file_list.txt is a text file containing the full path/filename of those files to copy. */

C:>upcopy -p   .   -d d:\tmp\old     -S source_list_file.txt   --logfile=c:\path\logfilename!63
/* Use a -S source list file and create ALL available logfiles named logfilename, in path

C:>upcopy -p   .  -d d:\work_dir   -S source_list_file.txt   --TEST -d d:\tmp\old   --logfile=c:\path\logfilename!63
/* Use a -S source list file and ONLY TEST existance of the source files. MUST include a minimum NOT_COPIED_log!8. error file


C:>upcopy  -d d:\work_dir   --DIRS=dirtory_list_file
/* The directory_list_file contains a text list of the full paths of top level directories to copy

C:>upcopy -p   .   -d d:\work_dir   -hs c:\path\hashes_of_source.txt   --logfile=c:\path\logfilename!65
C:>upcopy -p   .   -d d:\work_dir   -hd c:\path\hashes_of_destinations.txt   --logfile=c:\path\logfilename!65
The above two create hashes of either the source or destination files and place to the appropriate output, with logfiles.

C:>upcopy -p   .  -d d:\work_dir  -H c:\path\hashes_of_both.txt   --logfile=c:\path\logfilename!65
The above creates hashes of BOTH source and destination, and indicates an [OK] if hashes match.

C:>upcopy -p   .   -d d:\work_dir   --ADSEXTRACT
This performs the copy, and also: EXTRACTS any Alternate Data Stream items to "real" files in the same directory as their parent. So for every ADS files, you will get another live or real file which you can touchy/feely.

C:>upcopy -p   .   -d d:\work_dir   --ADSONLY
This performs a copy, of ONLY those files containing Alternate Data Streams. And also extracts the ADS files to "real" files in the same directory as their parent. So for every ADS files, you will get another live or real file which you can touchy/feely. But you will NOT get any normal files that DO NOT contain ADS's.

UNC mapped drives with format: \\?\ will work with the following syntax:
C:>upcopy    -p    \\OFFICE\z\tmp    -d   D:\TMP\JUNK_DEL    options.... yields
\\OFFICE\z\tmp\Manuals\LJ305X_installnotes_daww.htm
72,615 ==> D:\TMP\JUNK_DEL\Manuals\LJ305X_installnotes_daww.htm [NEW FILE] 2006/01/25 | 15:26:12

C:\UTILS\NTUTILS\upcopy.exe -p .    -d \\OFFICE\X\TMP\FROM_OFFICE -f z_fixup.bat -i
-i required to not attempt disk free space check on destination, yields
C:\TMP\TEST_USB\Z_FIXUP.BAT
122 ==> \\OFFICE\X\TMP\FROM_OFFICE\Z_FIXUP.BAT [NEW FILE] 2019/11/29 | 11:03:21

Mapped drive letters with the SUBST command will work with the mapped drive letters.
and during the process you see on the screen something like.

top

OPTIONS

The latest versions, (after 6/2009, wow is this program old) have enhanced option usage. The options can also now be literal words preceded by the double -- (minus) signs. This syntax is similar to the *IX formats. An example would be: instead of the -d path\folder, you could use:

--destination=path\folder, or instead of the
-S Source_fileoption, you could use: --list=file_containing_list_to_copy.

Format NOTE   When an option is listed of the following format: -option + filename: the plus sign (+) is indicated to mean that you must include an item following the option. DO NOT INCLUDE the plus (+) in the command line.

Note: the -p and -d are required so they are placed at the top of the list

-p + src_dir:  Use this directory as the source (starting point). Generally the format is: (-p C:\TOP_LEVEL_FOLDER\ANY_SUBFOLDERS). The source directory can be a network designation (i.e. \\COMPUTER_NAME\C\FOLDER_NAME). Not used if the -S option is used. (-p and -S are mutually exclusive)

-d + dest_dir:  Use this as the destination directory. This is the top level destination path. Generally the format is: (-d D:\TOP_LEVEL_DEST_FOLDER\ANY_SUBFOLDERS). All files will be created under this destination, and original path will be maintained below this destination. The destination directory can be a network designation (i.e. \\COMPUTER_NAME\C\FOLDER_NAME) However, tests should be conducted to see if the destination paths are properly created.

--flatten[=xx]:  Use this option when you want all the source files to be placed in a SINGLE -d destination directory (FLATTEN the tree). The program finds all the specified source files, and copies them to the single top level -d directory. The caveat here, is that files found with duplicate names, will not be copied, as the program will not create duplicate files (see --nodupe option below). So use caution that duplicate file names are not attempted to be copied. If the =XX is replaced by a value ie: flatten=100, then there will be a maximum of 100 files placed in the top level -d directory, and additional subdirectories will be created as needed, each with a max of 100 files.

--nodupe:  Use (ONLY with --flatten). If you suspect that the source files will exhibit duplicate names, upcopy will not normally overwrite an existing destination file of the same name. So if a file was already copied to the destination and its name was foo.ext, then the next source file located with a name of foo.ext will NOT overwrite the already copied (existing) destination file. In some instances, regardless of how many source files have the same name, the user wants all of them copied. The --nodupe option should be added to the --flatten option. This option causes a unique index number to be added to the destination filename so that there will not be any overwriting, and all source files will be copied. So a duplicate foo.ext would be copied to a file named: foo[0000].ext. Subesquent duplicates, regardless of their root name, will have the [xxxx] index increased by one for each duplicate file encountered. [NODUPE=ON]

NODUPE Processing NOTE:
Because of default (-tw) date checking, nodupe expects the user wants ALL files regardless of the date check. For this reason, the -A (copy ALL files) option which overrides the time check options is on by default. If you do want the date check to continue, add a +A option. The +options usually turn off the appropriate option. In this case, there will be NO date checking and all files will be copied.

-f + filetype(s):  Copy only those files meeting this file type. Additional file type can be added by separating each one by a space. (i.e. -f *.c *.doc *.tmp *.ppt ). This option is overridden by -S.

-F + filetype(s)file.txt:  The text file: filetypesfile.txt contains (one per line) the file type to process. This is used in place of the -f option if you have many filetypes (over the 10 supported by the -f option) to process. The contents of each line is as if you typed it using the -f *.xyz format. This file can contain up to 200 filetypes to process.
Each line CANOT have any spaces within the filetype :xyz.ex : or : xy.ext: will not process properly.
The file MUST end with a blank line
The list within this file MUST be of the format of name.ext Merely listing extentions like jpg exe xyz without the (file. or *.) preceeding the extention WILL NOT work. The program will think you are looking for a file called jpg and not one with the extantion of jpg. Here is a sample of what the text file should look like:
*.txt
*.exe
any*.jpg

Notice the filename.ext syntax.
jpg by itself will NOT work.
This option may conflict with the -S option. (4/2009)

--delay[=xx]    This option (added: 2024-03-01) causes the program to delay xx seconds after it finished counting the possible number of files and total size needed for the copy. The default without the [=xx] value is 3 second delay. During that delay, the user can hit control ^C to stop the program, if too many files are identified, or the size is too large to copy to the destination. --delay, or --delay=10, will dely default of 3, or 10 seconds. (.ini:    DELAY, or: DELAY=xx)
during the initial processing phase, upcopy attempts to find all files meeting the -f filetype and -p source_path options. It then places on the screen the following message:
       8 files to process, 267,636,997 bytes

with the --delay option, the user at this point can determine if they want the program to continue or ^C out. However, be aware that even though in the above example, there are 8 files and 267,636,997 size, this is only if ALL the files will be copied. So the actual count and size may not be what is shown. Just be aware.

-x + exclude_filetype(s):  Exclude files meeting this file type. Additional file type(s) (up to 32) can be added by separating each one by a space. (i.e. -x *.c *.doc *.tmp *.ppt ). This option is overridden by -S.

--nocase:  (10/9/2010) In rare instances when you receive or are looking at a file structure that was created on a *IX machine, you might see filenames which are identicle excpept for case. For instance, TEST.TXT and TEST.txt. Linux/*IX operating systems are not only case sensitive they are also case retentive. Which means that both these files can live in the same directory without any collission. However, Windows is case retentive, but not case sensitive. Which means, if you copied TEST.TXT to a directory, and then tried to copy TEST.txt to the same directory, Windows would see it as an identicle name, and OVERWRITE the original file, ending up with just one file in the destination. To overcome this Windows restriction, the --nocase is used to allow both files to be copied. However, since Windows will NOT allow the duplicate name, the --nocase option, causes the 2nd filename to be slightly adjusted in the fashion that the --flatten option adds the index to the name. So the 2nd file would end with a name of TEST[0001].txt. Not exactly what the original was, but close enough. As a side effect, the --nocase option also initiates by default the -A (copy all) files. Sorry, no alternative.

-S + Source_files_filename:   Text file (Source_files_filename) containing a list, one per line, of source files to copy to the destination directory.
  sample command line:    upcopy -p x:\    -d    e:\case_top_level_destination    -S    file_containing_filename_paths_to_copy

(The names in the file MUST be filenames and NOT directories. If the source file can't be found, the program continues with the next.)
The destination directory ( -d d:\option) is the top level tree where all the files will be copied. The copy maintains sub-tree structure below the destination directory. Hashkeeper users find this very useful. .

The -p x:\ is a dummy, non-existant directory on the drive. ie: x:\tmpest. This is merely a placeholder because the -p and -S options are mutually exclusive, and the -p option in this case is used to only a placeholder to eliminate unnecessary errors showing on the screen.

Each line of text in the -S file contains: ONLY the full path of the file: ie: C:\users\john\secrets\anyfile.txt or:
contains the full path_filename as the first item, and the rest of the line MUST be pipe ( | ) delimited. To restate: if the line of text contains more information than just the filename, see samples below. The filename MUST be left justified, without leading spaces and be the first item on the line.

If the text files contain only the filename, (which is the preferred format), then there is no need for the pipe delimeters.

This file format:

C:\anydir\anyfile
C:\another_dir\another_file
C:\as_many_files\as_are_necessary
Or, a delimited version:
F:\anydir\another\dir\filename.ext | 123456 | 09-12-2002 12:26AM

C:\anydir\anyfile                   |     123  |  08-12-2002  09:25AM
C:\another_dir\another_file         |   12387  |  04-12-2002  09:25AM
C:\as_many_files\as_are_necessary   |  122344  |  02-12-2002  09:25AM

--TEST:  TEST the existance of all the files in the -S filelist. The program proceeds as if it were attempting to do the copy, but it only checks the existence of the source files. It shows as NOT_COPIED any file which the source can't be located. In many instances, the source can't be located because of an error in the filename being provided. Pay special attention to files listed that are within containers, such as a file within a zip file or an email msg within an e-mail store such as a pst. The file listed in the -S file MUST be the top level file which is located on the drive. In order to maintain any meaningful output, you MUST also include a --logfile=xyz!8 at a minimum to show NOT_COPIED files.

-A:  Copy (overwrite) ALL files. This causes all the files in the source tree to be copied. If this option is not used, only newer files, and ones that don’t exist in the destination are copied. This option causes a clean sweep of the tree. Consider adding the -O option to ensure overwrite of protected files.

-e:
--exist:  Only copy over existing files. If the destination file doesn’t it won’t be created. Without this option, all newer and files where the destination doesn’t exist are copied. Possible use is, suppose the destination only has *.doc files in the tree, but the source has *.docs, some of which DON”T already exist on the destination. If the -f *.doc option is used, ALL the doc files would be used, use this if only the existing files are to be overwritten.

-E + errorfilename:  "Replaced 2/2008": Create an error file which holds information regarding files not copied. This file contains a listing of all files not copied to the destination. Some reasons the file could not be copied are that the destination disk is full or the destination file is locked by the OS (ie NT locks certain files, such as system files, and they can't be accessed while locked).

NOTE: the -h, -hs, -hd options are not the same as the -H option. They operate differently, and the -h? can be used together with the -H. Please test the various permutations and output capability, as my logic in building the options may not be the same as your interpretation of their results.

-h:  Perform hash of both source and destination file. This confirms a good copy, and shows results TO THE SCREEN. NO OUTPUT file is created unless the -H options is used. The -H option is really the option creating the output file. For instance the screen would show.

C:\TMP\secring-bak.skr
      4,306 ==> C:\temp\secring-bak.skr
HASHING: \\?\C:\TMP\secring-bak.skr
HASHING: \\?\C:\temp\secring-bak.skr [OK]

The -hs and -hd do not compare, so will not show the [OK] comparison, but can create output files

-hs=hash_log_filename:  Perform hash on ONLY the source file. Do not forget the equal (=) sign. It is required to generate the hashlog output. (user must include an output hash_log_filename to place the hash values to.).

-hd=hash_log_filename:  Perform hash on ONLY the destination file. (user must include an output hash_log_filename to place the hash values to.).

Note: the -hs and -hd options should be considered mutually exclusive, and are only useful when outputting the source or destination hash to an output file. If you wish to output "BOTH" hashes, use the -H option, which also verifies the copy. The -H hashlogfile is the best option to use, if you wish to check the hash comparison of both the source and the destination with an output. If this is used, the -h? is not required

-H + hashfile:  Perform hash of both source and destination file, and record results in the file named by hashfile. (excellent evidence validation option). Use this instead of both -hs and -hd. Also, not that the hashfile output designation is formatted differently. It needs a space after the -H, which the -hs or -hd requires an = (equal sign) and the filename. This can almost serve as a replacement for the -2 logfile option. This confirms a good copy. Performing the -H option is very time consuming.

The -H=hashfile option also creates an error file with the hashfile basename, and the syntax "_error" added to the filename. For instance, -H hashes.txt would also create the error file named hashes_error.txt. This hash_error file contains a pipe delimeted list of those files. See also the --RET=x option to initiate x retries on hash copy errors due to faulty networks.

      sourceA_fullpath_filename | sourceA_hash_ABCDEF | sourceB_fullpath_filename | sourceB_hash_ABCDFF | [ERROR}
where the source and destination hashes doNOT match. For those adventurous souls, you can use this error file, along with a properly formatted PIPEFIX parameter file which captures the first field and makes it 300 characters (can be larger), and ignores the other fields when creating the output file which will be passed to upcopy -S.
   300
   0
   0
   0
   0
This output file contains a list of the A files (those with hash mismatches) which can be passed to upcopy again with the -S get_these_files option to now attempt to copy those mismatches again.

Be reminded that in some instances of the hash mismatch, it is not the upcopy program, but a network error which failed to properly transmit all the data from sourceA to the computer of sourceB. Network administrators should be notified of possible network data transfer errors.

Whats behind door no2?
An alternative to the above use of the pipefix program to reform the error file to a file compatable to the -S option is another file being created upon the failure of the hashes to match. This other file has the name modified with the words: hashfile_RERUN. It takes all the fun out of using pipefix to recreate a usable -S option file, and creates it for you. It places in this additional file, the complete path of the source file which was apparently not copied correctly, and the original hash.
sourceA_fullpath_filename | sourceA_hash_ABCDEF

You can then pass this file directly to another upcopy run using the -S hashfile_RERUN and it should attempt to copy the files again. However, if your network is causing the data corruption, I can't do anything about that. Be advised, you should consider removing the destination files which were originally copied in error, otherwise upcopy will see an existing destination, and not copy the source. Use of the -A (copy All) option will suffice. Now that you are totally confused, have fun.

--RET=xx: (RETRY) If the hashes requested via the -H hashfile option fail, perform this many "copy" RETries of the original to the destination copy. If after any of the xx retries match, the program continues on, if after xx retries the hashes still don't match, the program continues on in normal fashion. This option is most useful when copying over a network with data transfer errors.

--ADSEXTRACT:  This option when used has a very special operation. Some files may contain or include Alternate Data Streams (ADS) files as part of their "parent" file. When performing examination using traditional Windows practices (ie: explorer, or other directory listing programs) these ADS files are not shown. In some instances, even "copy" programs do not always copy the ADS file with its parent. And most compressioin (zipping) software will not capture the ADS file. So you may never know what was not examined or copied. What this option does, is when copying a file to a destination, it examines the "parent" file for ADS (Alternate Data Streams). If it finds ADS files, it "extracts" them from the parent and places these ADS files as completely seperate files in the destination directory, along with the existing "parent". The copied parent will still contain its ADS hitch hikers, but there will now be additional files in the directory which will be seen by explorer or other directory listing/processing software. Assume the parent file is named: file1.docx, and contains three ADS files called ADS1.txt, ADS2.txt ADS3.pgp. You will not see the orignal file, and three additional files in the destination folder. The format of the new filenames will be: originalfile.ext[adsfilename.ext]
Notice the placement of the square brackets to denote the Alternate Data Stream file. Depending on the version of upcopy, the square brackets may be substituted for an underscore (_). Here is the example new directory listing of the above items.

normal_file_without_ads.txt
normal_file2_without_ads.txt
file1.docx            (live parent)
file1.docx:ADS1.txt   (1st ADS file)
file1.docx:ADS2.txt   (2nd ADS file)
file1.docx:ADS3.pgp   (3rd ADS file)
file1.docx[ADS1.txt]  (extracted ADS file(s))
file1.docx[ADS2.txt]
file1.docx[ADS3.pgp]
Notice the original filename is appended with an underscore (_), followed by the ADS filename. These three new files are now completely manageable via normal file system processes. And Maybe, just Maybe the .pgp file contains sensitive hidden information or passwords.

--ADSPARENT:  Like --ADSEXTRACT, this option Extracts and Copies Alternate Data Stream files to normal files in destination directory. It has all the same capabilities of the --ADSEXTRACT with the exception that it ONLY copies files with ADS's. So in the destination folder you have the original "parent" file, its normally "hidden/child" ADS, and a new file which is the ADS (child) showing as a normal file which can now be seen and processed as a normal file. Any file(s) which DO NOT contain ADS's will NOT be copied to the destination. This option by default includes the --ADSEXTRACT option. Use of this option, corrupts most if not all the logging options, and fails to perform any hashing. Which should now be done independently of the copy operation.
Example of the PARENT and Child exports. Notice the regular files without ADS are not copied, and the original PARENT is copied. Which may be a rather large filesize.

file1.docx            (live parent)
file1.docx:ADS1.txt   (1st ADS file)
file1.docx:ADS2.txt   (2nd ADS file)
file1.docx:ADS3.pgp   (3rd ADS file)
file1.docx[ADS1.txt]
file1.docx[ADS2.txt]
file1.docx[ADS3.pgp]

--ADSCHILD:   This option ONLY copies the (CHILD) ADS file to the destination. It EXTRACTS any Alternate Data Stream items to "real" files in the same directory as their parent. So for every ADS file, you will get a live or real file which you can touchy/feely. It does not copy the PARENT file. Which in some cases may save a lot of space. Considering that some parents are very large, and all you may want to see is the ADS file hiding behind its parent. Notice ONLY the ADS files are copied, and not the PARENT which can save time and space.

file1.docx[ADS1.txt]
file1.docx[ADS2.txt]
file1.docx[ADS3.pgp]

When dealing with the need to extract the Alternate Data Stream so it can be seen as a "real" file, you may also consider using the COPY_ADS  program which is specifically desinged to extract ADS's.

--UNICODE=unicode_logfile:     If any of the -hs, -hd, -H, options are used, the --UNICODE=filename option allows for an additional output log file of UNICODE format.

For this option to work, one of the -h options must be present. The "unicode_logfile_name file will contain a format identicle to the -H=hashfilelog with the exception that it will contain the unicode representation of the filenames, AND the MD5 values. (NOT AVAILABLE with the SHA options). THIS IS A VERY SPECIAL OPTION along with the logfile:64 option for UNICODE users Be prepared to open the file with a UNICODE capable file editor.

All the --UNICODE= operations also include the filesize and date/times of the files. Making it an excellent output for additional analysis.

This command:
C:>upcopy -p . -d \temp -1 ..\temp\logfile -H ..\temp\hashlog
would generate this hashlog (hashes truncated for readability)
C:>upcopy -p . -d \temp -1 ..\temp\logfile -H ..\temp\hashlog --UNICODE=UNI_LOG
would add a unicode formatted output file similar to the hashlog format. MD5 hash values truncated here for space.

C:\TMP\disconnected.mp3  | 1FFB |C:\temp\disconnected.mp3  | 1FFB |[OK]
C:\TMP\disconnected.wav  | 3327 |C:\temp\disconnected.wav  | 3327 |[OK]
C:\TMP\DMARES            | E5C2 |C:\temp\DMARES            | E5C2 |[OK]
C:\TMP\mount_y.bat       | 9ED1 |C:\temp\mount_y.bat       | 9ED1 |[OK]
C:\TMP\profile_add       | 6C0C |C:\temp\profile_add       | 6C0C |[OK]
C:\TMP\pubring-bak.pkr   | 9745 |C:\temp\pubring-bak.pkr   | 9745 |[OK]
C:\TMP\pubring.pkr       | 07E6 |C:\temp\pubring.pkr       | 07E6 |[OK]
C:\TMP\secring-bak.skr   | 3185 |C:\temp\secring-bak.skr   | 3185 |[OK]
C:\TMP\secring.skr       | B0D3 |C:\temp\secring.skr       | B0D3 |[OK]
No apparent mismatches in the copied hashes

--SHA[1|2|3|5]:  In addition to the hashing, calculate the SHA160, SHA256, SHA384, SHA512 of the files. (--SHA1, --SHA2, --SHA3, --SHA5), OR:
--160, --256, --384, --512
This option can only be used if the -H logfilename is used, as the SHAx values are put in the logfile along with the MD5 hashes. Although the design of the program will allow for any or all of the SHA values, it is suggested that tests be conducted to determine if multiple SHA values actually perform as the user expects. Also, the matching of the source and destination value(s) is ONLY performed on the MD5 hash value. This is a very very time consuming operation. Included in versions only after (2/1/2020)

-i:  Proceed Immediately with the copy. Without this option the source tree is first scanned and files are counted so the user knows how many files are involved. Use this option if you are attempting to copy over a slow network, as the initial count could take an inordinate amount of time.
-i is REQUIRED when using \\UNC\destination_tree\xxx in order to not cause the destination free space check which fails for UNC free space check

-m:  Automatically make the first destination if it does not exist. Without this option, if the first (top level) destination directory doesn’t exist, the user is prompted for an OK to create it. All subsequent subdirectories are automatically created without user intervention. Use this in batch file operation so no user input is needed. In the ini file use: [MAINTAIN=1]

-M:  Same as -m, except the final destination directory will attempt to maintain the date and time of the source directory. (suggested using -m also with this option.) This date retention is not always guaranteed. In most instances this option will also re-create empty directories. So in a forensic copy environment, you will at least see that one existed on the source.

--MILLI  This --MILLI option adds the milliseconds (12:34:56:789) to appropriate time fields in the output logs created using the --logfile=logname![2,4] option.

-nN:  The lower case -n prints only the source filename to the screen. DO NOT perform the copy operation. Use this to first confirm the items which will be copied.
The (-N) upper case version also prints the file size and the destination filename to the screen. And if the --delimiter=xx option is used, it will format with delimeters the "source | filesize | destination name" to the screen in a single line. This output can then be redirected >> to an output file for later examination or input into a spreadsheet, or passed to rm or rmd to remove the files once the copy process has taken place.

-r:  DO NOT recurs through the source directory for file. The default is that the source directory is recursed and ALL subsequent files and directories are copied. The default operation emulates the XCOPY command.

-O:  Force and overwrite of any file that is protected, such as read only files. This has no effect on OS locked files. It has only been shown to be effective with files with the read only or hidden attribute set. This option is not documented on the program help screen.

-g + #:
-l + #:
  Copy only those files (g)reater than or (l)ess than # days old. Replace the # with a valid number of days.

-g + mm-dd-yyyy[acw]
-l + mm-dd-yyyy[acw]  (that's and ell, not a one).
--older=mm-dd-yyyy
--newer=mm-dd-yyyy
Process only those files (g)reater (older) than or (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 IS required), and it MUST have a 4 digit year. The date given mm-dd-yyyy is NOT included in the calculation. Ie. if today was 01-10-2003 and you entered -l 01-09-2003 you would only process todays files. If you wanted to include those on 01-09, you should have entered -l 01-08-2003.
if any of the acw items are included, restrict the date to that type. (access, create, write)

-t[acw]:  In the 32 bit version, this is used to modify the -g or -l option to specify which time type to use in the calculations. The a==access, c==create, w==last write time. Don’t forget, in WIN9X, there is no access time.

--ZERO:   In some instances of file extracts from X-Ways and other forensic software, the file dates of "child" and other files is set to 00-00-0000. This file date of zero causes programs which display and / or depend on file dates to faulter when filtering by file date. It also causes UPCOPY to NOT copy these files because of the eroneous date. This option, --ZERO was initiated in order to force the copying of files with no file date. When it copies those files, it sets the destination file date to 12-01-1970 00:00:00. At least, then you can filter or search for a specific file date. HOWEVER: Explorer still can't display the date. Go figure?

-G + #:
-L + #:  Copy only those files (G)reater than or (L)ess than # bytes in size. Replace the # with a valid file size.

-R:  Depending on the OS settings, the last access date may be updated automatically when a file is accessed. This is usually turned off. But it may be on. In any case, the last access date of the destination is defaulted by a copy to be set to the current date/time. For forensic and other security puposes, the user may wish to have all the destination dates, and the source access date maintained to their original values. To do this, there are a number of options available. In order of priority.

-R:   maintain original access date in both the source and destination (this overrides any environment or ini setting)
+R:   allow access date to be updated appropriately. (source and destination are set according to OS settings)
environment:  set RESET=ON   turns on program option -R to maintain original access date. (overridden by -R or +R)
ini file:     RESET=[ON|1|OFF]  turns on or off last access update. (overridden by -R or +R)

During the copy process the file dates and times of the original file are maintained in the destination file attributes. However, without the -R (Reset) option, the original access time is adjusted accordingly..

--logfile=logfilename[appropriate masks:see below]   Create an output logfile with statistical information relating to the programs operation. The --logfile=logfilename!xx is probably the most efficient to use.

-1 logfile:   Create an output logfile with statistical information relating to the programs operation.

-2 and -3 options provide identicle results as -1 logfile

As of Feb 2008 there are 3 new ways to get logfile creations.


All usually build on each other, and are not mutually exclusive.
However, logfile names incorrectly used, will result in errors.
A logfile name should only be used in one location.
Preferrably on the command line and not in the ini file.

For ALL the logs, use -1 + logfilename!all NOTE: The -1 + logfilename conflicts with the --logfile=xxxx options.
The preferred format is to use the --logfile=xxx format.

-1 +  logfilename[[ !;|: ] xx]: filename to create logging file(s). 
      this '!' '|' ';' or ':' seperator can be any one of the four but only 1 is allowed.
      the preferred one is either a "!" (exclamation) or ":" (colon)
      the [xx] syntax == any value below added together to get matrix of files
      logging files that may be created are:
      1:  default logfile: contains command line, and statistics      
      2:  list logfile: contains list of ALL files scanned for copy               0000 0010    
      4:  copied logfile: contains list of ALL files successfully copied          0000 0100
      8:  not_copied logfile: contains list of files scanned but not copied       0000 1000
          this file contains files not meeting criteria PLUS copy errors
      16: error logfile: contains files meeting criteria, but had COPY error      0001 0000
      32: renamed dupes log: destination file renamed due to duplicate            0010 0000
      64: a logfile containing a list of the directories and file counts within each (available 4/2022) 0100 0000
     128: add a logfile in UNICODE format containing SOURCE|DESTINATION filenames 1000 0000
      For ALL logfiles use: \"logfilename!255\".                                  1111 1111 
      Simple Shortcut for ALL logfiles:  logfilename!all use the word all.

However, if you wish to use a logfile format like: --logfile=logname:nnn 
and the logname is a path like:  --logfile=H:\upcopy_logs\casename:4   this won't work because 
the option contains two colons (:) which confused the program. Hey, its not perfect. BUT, if 
you format the option using the exclamation point:   --logfile=H:\upcopy_logs\casename!4 it work fine.
So try it before real life. Relative path like:  --logfile=..\..\upcopy_logs\casename!4  also works ok.


I have not tried all the permutations. (I'm leaving it to you to confirm they all work seamlessly)
Notice the options are binary AND permutations.

PREFERRED FORMAT
The --logfile=logfilename!xx is probably the most efficient (and preferred) to use and should be considered the best to use. Use binar or (|) of the numbers to obtain correct logfiles.
A sample for the logfile option would be:
--logfile=thenameofthelogfile:127
which would generate ALL the appropriate logs. Be warned, that some of the statistics published in the logs are mutually exclusive, so don't try and reconcile counts.

Alternate (preferred) -- option to the -1 logfile
--logfile=logfilename[!|;:]xx

Replace !xx with similar value as -1 option OR
--logfile=logfilename[!|;][list,copy,not,dupe, error, unicode] comma seperated file types
list==listfile==2,
copy==copied file==4
not==notcopied==8
error==errorfile==16,
dupes==duperenamefile==32
dir==directory count file==64 (not completely tested as of 3/2022)

To obtain the log containing the full unicode names of the source and destination use the syntax:
--logfile=logname:128
include other binary numbers for additional logs as necessary. ie: 128 (add the binary values)


--error=xx
replace xx with a value above. no filename allowed.
THE '! ; |' or ':' seperator is required between filename and matrix value any items or options values are always OR'd together
example: --logfile=logname.ext:255
results in ALL logs being generated. Some may be quite large. Its probably better just to figure which log best suits your purpoase.

--dirs=dirnames_list:   (see also -p source_path option) "dirnames_list" is a text file containing the full top level path of the folder(s) you wish to copy. This pathname MUST include a source drive letter: (ie: D:\.) No error checking is performed to see if the folders exist or not. If it exists, the files below are copied in the normal fashion. The file is a text file, with one path/folder per line, (or pipe delimeted). This option is mutually exclusive with the -S option. So don't use them together. After the directories are listed, blank lines are inserted, and the user can insert comments after blanks lines.

If necessary, (after version: 20.11.29...) the -p source_path may also be included. If the -p is included, its path will be added to the list in the dirnames_list. Prior to version 20.11.29 a dummy -p was needed on the command line, and was suggested to be the first path in the list.

Sample contents of the dirname file
f:\documents and settings\johns folder
f:\documents and settings\other folder | other stuff on the line, similar to above
f:\program files\virus generators
g:\another_source_folder\level1
etc...
etc...
etc...
blank lines:
comments can be inserted after blank lines terminate the directories list.

two sample command lines, one with and one without an additional source dir.
notice, first instance contains a duplicate of one of the lines in the dirname_file
C:\upcopy -d d:\TOP\LEVEL1 --dirs dirname_file
or
C:\upcopy -d d:\TOP\LEVEL1 -p f:\completely_other_source_dir_to_include --dirs dirname_file

The -d option on the command line is used as a TOP level starting point to copy all the source files to. The paths identified in the dirnames file are APPENDED to the -d option path and thus will start copying below the -d option. So if we used the above source paths, and had a -d option of: -d d:\TOP\LEVEL1
the resulting destination folders would be:
d:\TOP\LEVEL1\documents and settings\johns folder
d:\TOP\LEVEL1\program files\virus generators
d:\TOP\LEVEL1\another_source_folder\level1

--SHADOW_COPY:  If the user is attempting to copy all or part of a shadow copy file (see: Microsoft Volume Shadow Copy) the upcopy program may not be able to properly locate the volume shadow file. If the program cannot locate the shadow file, it is suggested that the user add this --SHADOW_COPY option. It may assist in finding and opening the file.

The pathname provided on the command line to locate the VSS (Volume Shadow Copy) is that which was provided to the user when they ran the VSSADMIN program with the command: vssdamin List Shadows.
The program will include all the shadows is maintains, and the proper syntax for the -p option would be:
-p \\?\actual name of the shadow copy file which was provide by the command.

--bypass=filename:  Filename is a text file containing the full top level path/folder of the folder(s) of folders you wish to bypass. No error checking is performed to see if the folders exist or not. If it exists, it will be bypassed and no files below will be copied. The file is a text file, with one path/folder per line. If the "filename" is not a file containing paths, but the actual path, it is treated as such. This --bypass= option can be included multiple times on the command line. Once for each folder. This option is mutually exclusive with the -S option. So don't use them together. Sample
f:\documents and settings\johns folder bypass
f:\documents and settings\other folder bypass
f:\program files\virus checkers bypass

If you have an upcopy.ini file, the ini file contents are
bypass=f:\foldername
bypass=f:\anotherfoldername
bypass=etc.

Here are samples of the two types of output formats.

-2 Logfile_Option
512 |D:\DRa00632\DRa00632\AAA00632|
==>D:\NEWDIR\DRa00632\DRa00632\\AAA00632|
512 |D:\DRa00632\DRa00632\AAA00635|
==>D:\NEWDIR\DRa00632\DRa00632\AAA00635|

-3 Logfile_Option
512 |D:\DRa00632\AAA00632| ==>D:\NEWDIR\DRa00632\AAA00632|
512 |D:\DRa00632\AAB00632| ==>D:\NEWDIR\DRa00632\AAB00632|
Get upcopy.exe

top

BATCH FILES

One of the best uses of upcopy, both for forensic purposes, and general file retention/backup is that it can be used in batch files to perform smart backups of files. One of the forensic uses is that each day when you perform your work you either generate new evidence files/reports, or update those which have already been created. This may be a single item, or numerous files. Now, lets imagine you have a general common location, say some sort of large storage array, or just merealy a safe other drive which you maintain a copy of your work. Wouldn't it be nice to be able to backup each day ONLY those files which are new and need to be backed up, but don't back up the entire case directory, because not everything is updated.

Upcopy, with appropriate options can copy to the secondary location (another drive, raid array, server, etc) ONLY those files which are newly created or updated. Below is a simple command line which when placed in a batch file can be run whenever, and it will only "forensically" copy those files which it needs. Thus eliminating the time required to copy ALL the un-modified items. With proper options, this batch can be adjusted to perform many other generic routine backup operations.

update, or copy from the case folder, to the offline storage, ONLY those files modified within the last 5 days.
upcopy  -p  c:\cases\case_folder1   -d  x:\offline\cases\case_folder1  -f *.*  -l  5   -R

and if you were updating just any normal work location, you could include a back and forth process:
upcopy  -p  c:\folder1\work1   -d  x:\offline\folder1\work1  -f *.*    -R
upcopy  -p  x:\folder1\work1   -d  c:\offline\folder1\work1  -f *.*    -R

this above would sync both locations.  (simple sync: YES/NO?)
don't forget the -R to reset any dates correctly. other options as necessary.

top

RELATED PROGRAMS

DISKCAT  Perform catalog listing of files.
HASH  Perform Hashing of files on a drive.
PIPEFIX  Select out specified fixed fields from delimeted records.

top