Add Windows forensic artifact collection toolkit

Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.

windows/Get-USBDevices.ps1

@@ -0,0 +1,36 @@
+# Get-USBDevices.ps1
+# Lists all USB devices with vendor/product IDs
+
+Write-Host "`n=== USB Devices ===" -ForegroundColor Cyan
+Write-Host "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB`n"
+
+try {
+    $usb = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USB" -ErrorAction SilentlyContinue
+    if ($usb) {
+        foreach ($device in $usb) {
+            if ($device.PSChildName -match "VID_|vid_") {
+                $instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
+                $hasDevice = $false
+
+                foreach ($instance in $instances) {
+                    $props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
+                    if ($props.DeviceDesc) {
+                        if (-not $hasDevice) {
+                            Write-Host "$($device.PSChildName)" -ForegroundColor Yellow
+                            $hasDevice = $true
+                        }
+                        # Clean up device description - extract text after semicolon if present
+                        $desc = $props.DeviceDesc
+                        if ($desc -match ';(.+)$') {
+                            $desc = $matches[1]
+                        }
+                        Write-Host "  $desc"
+                    }
+                }
+                if ($hasDevice) { Write-Host "" }
+            }
+        }
+    }
+} catch {
+    Write-Host "Error: $_" -ForegroundColor Red
+}