mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Windows forensic artifact collection toolkit

Browse Source 
Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.
This commit is contained in:
mnerv
2026-02-03 21:31:39 +01:00
parent dc8a848373
commit 878d19f917
11 changed files with 895 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
windows/Get-USBForensics.ps1 Normal file
View File

@@ -0,0 +1,135 @@
# Get-USBForensics.ps1
# PowerShell script to gather USB and storage forensic artifacts
Write-Host "`n=== USB Storage Devices (USBSTOR) ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`n"
try {
$usbstor = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR" -ErrorAction SilentlyContinue
if ($usbstor) {
foreach ($device in $usbstor) {
Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow
$instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
foreach ($instance in $instances) {
$props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
Write-Host " Serial: $($instance.PSChildName)"
Write-Host " Friendly Name: $($props.FriendlyName)"
Write-Host " Service: $($props.Service)"
Write-Host ""
}
}
} else {
Write-Host "No USB storage devices found." -ForegroundColor Gray
}
} catch {
Write-Host "Error accessing USBSTOR: $_" -ForegroundColor Red
}
Write-Host "`n=== USB Devices (USB) ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB`n"
try {
$usb = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USB" -ErrorAction SilentlyContinue
if ($usb) {
foreach ($device in $usb) {
if ($device.PSChildName -match "VID_|vid_") {
Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow
$instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
foreach ($instance in $instances) {
$props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
if ($props.DeviceDesc) {
Write-Host " Instance: $($instance.PSChildName)"
Write-Host " Description: $($props.DeviceDesc)"
Write-Host ""
}
}
}
}
}
} catch {
Write-Host "Error accessing USB: $_" -ForegroundColor Red
}
Write-Host "`n=== Mounted Devices ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`n"
try {
$mounted = Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" -ErrorAction SilentlyContinue
if ($mounted) {
$mounted.PSObject.Properties | Where-Object { $_.Name -notmatch "^PS" } | ForEach-Object {
Write-Host "Drive: $($_.Name)" -ForegroundColor Yellow
# Convert byte array to hex string for readability
if ($_.Value -is [byte[]]) {
$hexValue = ($_.Value | ForEach-Object { $_.ToString("X2") }) -join " "
Write-Host " Value: $hexValue"
} else {
Write-Host " Value: $($_.Value)"
}
Write-Host ""
}
}
} catch {
Write-Host "Error accessing MountedDevices: $_" -ForegroundColor Red
}
Write-Host "`n=== Portable Devices ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices`n"
try {
$portableDevices = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Portable Devices\Devices" -ErrorAction SilentlyContinue
if ($portableDevices) {
foreach ($device in $portableDevices) {
Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow
$props = Get-ItemProperty -Path $device.PSPath -ErrorAction SilentlyContinue
Write-Host " Friendly Name: $($props.FriendlyName)"
Write-Host ""
}
} else {
Write-Host "No portable devices found." -ForegroundColor Gray
}
} catch {
Write-Host "Error accessing Portable Devices: $_" -ForegroundColor Red
}
Write-Host "`n=== Setup API Device Install Log (Last 20 USB entries) ===" -ForegroundColor Cyan
Write-Host "Location: C:\Windows\inf\setupapi.dev.log`n"
try {
$setupLog = "C:\Windows\inf\setupapi.dev.log"
if (Test-Path $setupLog) {
$usbEntries = Select-String -Path $setupLog -Pattern "USB" -Context 0,2 -ErrorAction SilentlyContinue | Select-Object -Last 20
foreach ($entry in $usbEntries) {
Write-Host $entry.Line -ForegroundColor Gray
}
} else {
Write-Host "Setup log not found." -ForegroundColor Gray
}
} catch {
Write-Host "Error accessing setup log: $_" -ForegroundColor Red
}
Write-Host "`n=== Current USB Devices (via WMI) ===" -ForegroundColor Cyan
try {
$wmiUSB = Get-WmiObject Win32_USBControllerDevice -ErrorAction SilentlyContinue | ForEach-Object {
[wmi]($_.Dependent)
} | Select-Object Description, DeviceID, Manufacturer | Where-Object { $_.Description -ne $null }
if ($wmiUSB) {
$wmiUSB | ForEach-Object {
Write-Host "Description: $($_.Description)" -ForegroundColor Yellow
Write-Host " Device ID: $($_.DeviceID)"
Write-Host " Manufacturer: $($_.Manufacturer)"
Write-Host ""
}
} else {
Write-Host "No USB devices currently connected." -ForegroundColor Gray
}
} catch {
Write-Host "Error accessing WMI: $_" -ForegroundColor Red
}
Write-Host "`n=== Script Complete ===" -ForegroundColor Green
Write-Host "Note: Run as Administrator for complete results.`n"