Add Windows forensic artifact collection toolkit

Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.

windows/Get-HotspotConnections.ps1

@@ -0,0 +1,113 @@
+# Get-HotspotConnections.ps1
+# Collects Windows Mobile Hotspot connection artifacts
+
+# Check for admin privileges
+$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if (-not $isAdmin) {
+    Write-Host "Error: This script requires Administrator privileges" -ForegroundColor Red
+    Write-Host "Please run PowerShell as Administrator and try again" -ForegroundColor Yellow
+    exit 1
+}
+
+Write-Host "=== Windows Mobile Hotspot Connection History ===" -ForegroundColor Cyan
+Write-Host "Note: Windows does not maintain persistent logs of past hotspot clients"
+Write-Host "Only event logs and currently connected devices can be retrieved`n"
+
+# Get current hotspot status
+Write-Host "--- Current Hotspot Status ---" -ForegroundColor Yellow
+try {
+    $hostedNetwork = netsh wlan show hostednetwork 2>$null
+    if ($hostedNetwork) {
+        $hostedNetwork | Write-Host
+    }
+} catch {
+    Write-Host "Error getting hosted network status" -ForegroundColor Red
+}
+
+# Get currently connected clients via ARP
+Write-Host "`n--- Currently Connected Devices (ARP Cache) ---" -ForegroundColor Yellow
+try {
+    $arp = Get-NetNeighbor -AddressFamily IPv4 -ErrorAction SilentlyContinue |
+           Where-Object { $_.State -ne "Unreachable" -and $_.IPAddress -notmatch "^(224\.|239\.)" }
+
+    if ($arp) {
+        $arp | Select-Object IPAddress, LinkLayerAddress, State | Format-Table -AutoSize
+    } else {
+        Write-Host "No connected devices found in ARP cache" -ForegroundColor Gray
+    }
+} catch {
+    Write-Host "Error accessing ARP cache: $_" -ForegroundColor Red
+}
+
+# Extract hotspot connection events from WLAN-AutoConfig log
+Write-Host "`n--- Recent Hotspot Connection Events ---" -ForegroundColor Yellow
+try {
+    # Event ID 20019 = Client connection to hotspot
+    # Event ID 20020 = Connection establishment confirmation
+    # Event ID 8005/8006 = Hotspot start/stop
+    $events = Get-WinEvent -FilterHashtable @{
+        LogName = "Microsoft-Windows-WLAN-AutoConfig/Operational"
+        ID = 8005, 8006, 20019, 20020
+    } -MaxEvents 50 -ErrorAction SilentlyContinue
+
+    if ($events) {
+        foreach ($event in $events) {
+            Write-Host "$($event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan -NoNewline
+            Write-Host " [ID:$($event.Id)]" -ForegroundColor Gray -NoNewline
+
+            # Extract relevant info from message
+            $msg = $event.Message
+            if ($msg -match "MAC Address: ([0-9A-Fa-f:-]+)") {
+                Write-Host " MAC: $($matches[1])" -ForegroundColor Yellow
+            } elseif ($msg -match "SSID: (.+)") {
+                Write-Host " SSID: $($matches[1])" -ForegroundColor Green
+            } else {
+                Write-Host ""
+            }
+        }
+    } else {
+        Write-Host "No hotspot events found in logs" -ForegroundColor Gray
+    }
+} catch {
+    Write-Host "Error accessing event logs: $_" -ForegroundColor Red
+}
+
+# Get wireless authentication events (Event ID 5632)
+Write-Host "`n--- Wireless Authentication Events (Last 20) ---" -ForegroundColor Yellow
+try {
+    $authEvents = Get-WinEvent -FilterHashtable @{
+        LogName = "Security"
+        ID = 5632
+    } -MaxEvents 20 -ErrorAction SilentlyContinue
+
+    if ($authEvents) {
+        foreach ($authEvent in $authEvents) {
+            Write-Host "$($authEvent.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan
+            if ($authEvent.Message -match "Peer MAC Address:\s+([0-9A-Fa-f:-]+)") {
+                Write-Host "  Peer MAC: $($matches[1])" -ForegroundColor Yellow
+            }
+        }
+    } else {
+        Write-Host "No wireless authentication events found" -ForegroundColor Gray
+    }
+} catch {
+    Write-Host "Security event log not accessible or no events found" -ForegroundColor Gray
+}
+
+# Get hosted network settings from registry
+Write-Host "`n--- Hosted Network Registry Settings ---" -ForegroundColor Yellow
+try {
+    $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings"
+    if (Test-Path $regPath) {
+        $props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
+        if ($props) {
+            Write-Host "Registry path exists with configuration data" -ForegroundColor Green
+            Write-Host "(Binary data - use registry editor for details)"
+        }
+    } else {
+        Write-Host "No hosted network settings found in registry" -ForegroundColor Gray
+    }
+} catch {
+    Write-Host "Error accessing registry: $_" -ForegroundColor Red
+}