Add Windows forensic artifact collection toolkit
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
This commit is contained in:
67
TODO.md
Normal file
67
TODO.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Forensic Artifacts TODO
|
||||
|
||||
## Windows Forensic Scripts
|
||||
|
||||
### Completed
|
||||
- [x] USB Storage (USBSTOR)
|
||||
- [x] Mounted Devices
|
||||
- [x] USB Devices (VID/PID)
|
||||
- [x] Portable Devices
|
||||
- [x] Network Connection History
|
||||
- [x] Hotspot Connections
|
||||
- [x] Recent Documents (RecentDocs)
|
||||
|
||||
### User Activity Artifacts
|
||||
- [ ] UserAssist - Programs run by user through Windows Explorer
|
||||
- [ ] ShimCache (AppCompatCache) - Executable files that have been run
|
||||
- [ ] AmCache - Program execution with file hashes and timestamps
|
||||
- [ ] Jump Lists - Recently accessed files per application
|
||||
- [ ] Prefetch files - Program execution history with run counts
|
||||
- [ ] BAM/DAM - Background Activity Moderator (program execution timestamps)
|
||||
|
||||
### Browser & Search History
|
||||
- [ ] Browser history - Edge, Chrome, Firefox artifacts
|
||||
- [ ] Typed URLs - URLs manually typed in browsers
|
||||
- [ ] Search terms - Windows Search history
|
||||
|
||||
### File Access
|
||||
- [ ] LNK files - Shortcut files showing file access
|
||||
- [ ] Recycle Bin - Deleted files
|
||||
- [ ] Shell Bags - Folder access history
|
||||
|
||||
### System Information
|
||||
- [ ] Computer name - System identification
|
||||
- [ ] Timezone - System timezone settings
|
||||
- [ ] Last shutdown time
|
||||
- [ ] Installed programs - Software inventory
|
||||
- [ ] System uptime history
|
||||
|
||||
### Persistence Mechanisms
|
||||
- [ ] Run/RunOnce keys - Programs that auto-start
|
||||
- [ ] Scheduled tasks
|
||||
- [ ] Services
|
||||
- [ ] Startup folder contents
|
||||
|
||||
### Network Artifacts
|
||||
- [ ] DNS Cache
|
||||
- [ ] Network shares accessed
|
||||
- [ ] VPN connections
|
||||
- [ ] Remote Desktop connections
|
||||
|
||||
## Other Operating Systems
|
||||
|
||||
### Linux
|
||||
- [ ] User login history
|
||||
- [ ] Command history (bash, zsh)
|
||||
- [ ] Systemd journal logs
|
||||
- [ ] Package installation history
|
||||
- [ ] Cron jobs
|
||||
- [ ] SSH keys and known hosts
|
||||
|
||||
### macOS
|
||||
- [ ] Unified logs (log show)
|
||||
- [ ] LaunchAgents/LaunchDaemons
|
||||
- [ ] Spotlight metadata
|
||||
- [ ] FSEvents (file system events)
|
||||
- [ ] Login/logout history
|
||||
- [ ] Keychain artifacts
|
||||
Reference in New Issue
Block a user