Add Windows forensic artifact collection toolkit

Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.

windows/Get-USBStorage.ps1

@@ -0,0 +1,26 @@
+# Get-USBStorage.ps1
+# Lists USB storage devices from USBSTOR registry key
+
+Write-Host "=== USB Storage Devices (USBSTOR) ===" -ForegroundColor Cyan
+Write-Host "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR"
+
+try {
+    $usbstor = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR" -ErrorAction SilentlyContinue
+    if ($usbstor) {
+        foreach ($device in $usbstor) {
+            Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow
+
+            $instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
+            foreach ($instance in $instances) {
+                $props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
+                Write-Host "  Serial: $($instance.PSChildName)"
+                if ($props.FriendlyName) { Write-Host "  Name: $($props.FriendlyName)" }
+                Write-Host ""
+            }
+        }
+    } else {
+        Write-Host "No USB storage devices found." -ForegroundColor Gray
+    }
+} catch {
+    Write-Host "Error: $_" -ForegroundColor Red
+}