Add Windows forensic artifact collection toolkit
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
This commit is contained in:
127
windows/Get-Info.ps1
Normal file
127
windows/Get-Info.ps1
Normal file
@@ -0,0 +1,127 @@
|
||||
# Get-Info.ps1
|
||||
# Displays system and user information
|
||||
|
||||
Write-Host "=== System Information ===" -ForegroundColor Cyan
|
||||
|
||||
# Current User
|
||||
Write-Host "`n--- Current User ---" -ForegroundColor Yellow
|
||||
Write-Host "Username: $env:USERNAME" -ForegroundColor Green
|
||||
Write-Host "Domain: $env:USERDOMAIN" -ForegroundColor Green
|
||||
Write-Host "User Profile: $env:USERPROFILE" -ForegroundColor Green
|
||||
Write-Host "Home Drive: $env:HOMEDRIVE" -ForegroundColor Green
|
||||
|
||||
# Computer Info
|
||||
Write-Host "`n--- Computer Information ---" -ForegroundColor Yellow
|
||||
Write-Host "Computer Name: $env:COMPUTERNAME" -ForegroundColor Green
|
||||
|
||||
try {
|
||||
$cs = Get-CimInstance Win32_ComputerSystem
|
||||
Write-Host "Full Computer Name: $($cs.DNSHostName).$($cs.Domain)" -ForegroundColor Green
|
||||
Write-Host "Manufacturer: $($cs.Manufacturer)" -ForegroundColor Green
|
||||
Write-Host "Model: $($cs.Model)" -ForegroundColor Green
|
||||
Write-Host "Total RAM: $([math]::Round($cs.TotalPhysicalMemory / 1GB, 2)) GB" -ForegroundColor Green
|
||||
} catch {
|
||||
Write-Host "Error getting computer details: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
# OS Info
|
||||
Write-Host "`n--- Operating System ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$os = Get-CimInstance Win32_OperatingSystem
|
||||
Write-Host "OS: $($os.Caption)" -ForegroundColor Green
|
||||
Write-Host "Version: $($os.Version)" -ForegroundColor Green
|
||||
Write-Host "Build: $($os.BuildNumber)" -ForegroundColor Green
|
||||
Write-Host "Architecture: $($os.OSArchitecture)" -ForegroundColor Green
|
||||
Write-Host "Install Date: $($os.InstallDate)" -ForegroundColor Green
|
||||
Write-Host "Last Boot: $($os.LastBootUpTime)" -ForegroundColor Green
|
||||
|
||||
$uptime = (Get-Date) - $os.LastBootUpTime
|
||||
Write-Host "Uptime: $($uptime.Days) days, $($uptime.Hours) hours, $($uptime.Minutes) minutes" -ForegroundColor Green
|
||||
} catch {
|
||||
Write-Host "Error getting OS details: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
# Timezone
|
||||
Write-Host "`n--- Time & Location ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$timezone = Get-TimeZone
|
||||
Write-Host "Timezone: $($timezone.DisplayName)" -ForegroundColor Green
|
||||
Write-Host "Current Time: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Green
|
||||
} catch {
|
||||
Write-Host "Timezone: $env:TZ" -ForegroundColor Green
|
||||
}
|
||||
|
||||
# Network Info
|
||||
Write-Host "`n--- Network Configuration ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$adapters = Get-NetAdapter | Where-Object { $_.Status -eq "Up" }
|
||||
foreach ($adapter in $adapters) {
|
||||
Write-Host "Adapter: $($adapter.Name)" -ForegroundColor Green
|
||||
Write-Host " MAC Address: $($adapter.MacAddress)" -ForegroundColor Cyan
|
||||
Write-Host " Speed: $($adapter.LinkSpeed)" -ForegroundColor Cyan
|
||||
|
||||
# Get IP addresses
|
||||
$ipConfig = Get-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex -ErrorAction SilentlyContinue
|
||||
foreach ($ip in $ipConfig) {
|
||||
if ($ip.AddressFamily -eq "IPv4") {
|
||||
Write-Host " IPv4: $($ip.IPAddress)" -ForegroundColor Cyan
|
||||
} elseif ($ip.AddressFamily -eq "IPv6" -and $ip.PrefixOrigin -ne "WellKnown") {
|
||||
Write-Host " IPv6: $($ip.IPAddress)" -ForegroundColor Cyan
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
Write-Host "Error getting network info: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
# Disk Info
|
||||
Write-Host "`n--- Disk Drives ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$disks = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -ne $null }
|
||||
foreach ($disk in $disks) {
|
||||
$usedGB = [math]::Round($disk.Used / 1GB, 2)
|
||||
$freeGB = [math]::Round($disk.Free / 1GB, 2)
|
||||
$totalGB = $usedGB + $freeGB
|
||||
$percentUsed = [math]::Round(($usedGB / $totalGB) * 100, 1)
|
||||
|
||||
Write-Host "$($disk.Name):\ - Total: $totalGB GB, Used: $usedGB GB ($percentUsed%), Free: $freeGB GB" -ForegroundColor Green
|
||||
}
|
||||
} catch {
|
||||
Write-Host "Error getting disk info: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
# User Accounts on System
|
||||
Write-Host "`n--- Local User Accounts ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$users = Get-LocalUser | Select-Object Name, Enabled, LastLogon
|
||||
foreach ($user in $users) {
|
||||
$status = if ($user.Enabled) { "Enabled" } else { "Disabled" }
|
||||
$lastLogon = if ($user.LastLogon) { $user.LastLogon.ToString("yyyy-MM-dd HH:mm:ss") } else { "Never" }
|
||||
Write-Host "$($user.Name) - $status - Last Logon: $lastLogon" -ForegroundColor Green
|
||||
}
|
||||
} catch {
|
||||
Write-Host "Error getting user accounts: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
# Environment Variables (useful ones)
|
||||
Write-Host "`n--- Key Environment Variables ---" -ForegroundColor Yellow
|
||||
Write-Host "Temp: $env:TEMP" -ForegroundColor Green
|
||||
Write-Host "Path (first 3): $((($env:PATH -split ';') | Select-Object -First 3) -join '; ')..." -ForegroundColor Green
|
||||
Write-Host "Processor: $env:PROCESSOR_IDENTIFIER" -ForegroundColor Green
|
||||
Write-Host "Number of Processors: $env:NUMBER_OF_PROCESSORS" -ForegroundColor Green
|
||||
|
||||
# Windows Product Info
|
||||
Write-Host "`n--- Windows Product Information ---" -ForegroundColor Yellow
|
||||
try {
|
||||
$productName = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName -ErrorAction SilentlyContinue
|
||||
$displayVersion = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name DisplayVersion -ErrorAction SilentlyContinue
|
||||
$editionID = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name EditionID -ErrorAction SilentlyContinue
|
||||
|
||||
if ($productName) { Write-Host "Product: $($productName.ProductName)" -ForegroundColor Green }
|
||||
if ($displayVersion) { Write-Host "Display Version: $($displayVersion.DisplayVersion)" -ForegroundColor Green }
|
||||
if ($editionID) { Write-Host "Edition: $($editionID.EditionID)" -ForegroundColor Green }
|
||||
} catch {
|
||||
Write-Host "Error getting product info: $_" -ForegroundColor Red
|
||||
}
|
||||
|
||||
Write-Host "`n=== End of System Information ===" -ForegroundColor Cyan
|
||||
Reference in New Issue
Block a user