mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Windows forensic artifact collection toolkit

Browse Source 
Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.
This commit is contained in:
mnerv
2026-02-03 21:31:39 +01:00
parent dc8a848373
commit 878d19f917
11 changed files with 895 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
windows/Get-NetworkHistory.ps1 Normal file
View File

@@ -0,0 +1,37 @@
# Get-NetworkHistory.ps1
# Lists network connection history
# Check for admin privileges
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
Write-Host "Error: This script requires Administrator privileges" -ForegroundColor Red
Write-Host "Please run PowerShell as Administrator and try again" -ForegroundColor Yellow
exit 1
}
Write-Host "=== Network Connection History ===" -ForegroundColor Cyan
Write-Host "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles"
try {
$networks = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" -ErrorAction SilentlyContinue
if ($networks) {
foreach ($network in $networks) {
$props = Get-ItemProperty -Path $network.PSPath -ErrorAction SilentlyContinue
Write-Host "$($props.ProfileName)" -ForegroundColor Yellow
Write-Host " Description: $($props.Description)"
Write-Host " Category: $($props.Category) (0=Public, 1=Private, 2=Domain)"
if ($props.DateCreated) {
Write-Host " First Connected: $($props.DateCreated)"
}
if ($props.DateLastConnected) {
Write-Host " Last Connected: $($props.DateLastConnected)"
}
Write-Host ""
}
} else {
Write-Host "No network history found." -ForegroundColor Gray
}
} catch {
Write-Host "Error: $_" -ForegroundColor Red
}