Add Windows forensic artifact collection toolkit

Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
2026-02-03 21:31:39 +01:00
parent dc8a848373
commit 878d19f917
11 changed files with 895 additions and 0 deletions
--- a/windows/Get-Users.ps1
+++ b/windows/Get-Users.ps1
@@ -0,0 +1,174 @@
+# Get-Users.ps1
+# Lists all users on the system with detailed information
+
+param(
+    [Parameter(Position=0)]
+    [ValidateSet("simple", "detailed", "full")]
+    [string]$Mode = "simple"
+)
+
+Write-Host "=== System Users ===" -ForegroundColor Cyan
+
+if ($Mode -eq "simple") {
+    Write-Host "Mode: Simple (use -Mode detailed or -Mode full for more info)`n" -ForegroundColor Yellow
+} elseif ($Mode -eq "detailed") {
+    Write-Host "Mode: Detailed`n" -ForegroundColor Yellow
+} else {
+    Write-Host "Mode: Full`n" -ForegroundColor Yellow
+}
+
+# Local Users
+Write-Host "--- Local User Accounts ---" -ForegroundColor Yellow
+try {
+    $localUsers = Get-LocalUser
+
+    if ($Mode -eq "simple") {
+        # Simple mode: just list usernames
+        foreach ($user in $localUsers) {
+            $status = if ($user.Enabled) { "" } else { " (Disabled)" }
+            Write-Host "$($user.Name)$status" -ForegroundColor Green
+        }
+
+    } elseif ($Mode -eq "detailed") {
+        # Detailed mode: username, enabled status, last logon
+        foreach ($user in $localUsers) {
+            Write-Host "`n$($user.Name)" -ForegroundColor Green
+            Write-Host "  Enabled: $($user.Enabled)" -ForegroundColor Cyan
+            Write-Host "  Last Logon: $(if ($user.LastLogon) { $user.LastLogon.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
+            Write-Host "  Password Last Set: $(if ($user.PasswordLastSet) { $user.PasswordLastSet.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
+        }
+
+    } else {
+        # Full mode: all details
+        foreach ($user in $localUsers) {
+            Write-Host "`nUsername: $($user.Name)" -ForegroundColor Green
+            Write-Host "  Full Name: $($user.FullName)" -ForegroundColor Cyan
+            Write-Host "  Description: $($user.Description)" -ForegroundColor Cyan
+            Write-Host "  Enabled: $($user.Enabled)" -ForegroundColor Cyan
+            Write-Host "  Account Expires: $(if ($user.AccountExpires) { $user.AccountExpires } else { 'Never' })" -ForegroundColor Cyan
+            Write-Host "  Password Last Set: $(if ($user.PasswordLastSet) { $user.PasswordLastSet.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
+            Write-Host "  Password Expires: $(if ($user.PasswordExpires) { $user.PasswordExpires } else { 'Never' })" -ForegroundColor Cyan
+            Write-Host "  Last Logon: $(if ($user.LastLogon) { $user.LastLogon.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
+            Write-Host "  Password Required: $($user.PasswordRequired)" -ForegroundColor Cyan
+            Write-Host "  User May Change Password: $($user.UserMayChangePassword)" -ForegroundColor Cyan
+            Write-Host "  SID: $($user.SID)" -ForegroundColor Gray
+        }
+    }
+
+    Write-Host "`nTotal Local Users: $($localUsers.Count)" -ForegroundColor Green
+
+} catch {
+    Write-Host "Error getting local users: $_" -ForegroundColor Red
+}
+
+# Only show profile paths in detailed and full modes
+if ($Mode -ne "simple") {
+    Write-Host "`n--- User Profiles (from Registry) ---" -ForegroundColor Yellow
+    try {
+        $profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
+
+        if (Test-Path $profileListPath) {
+            $profiles = Get-ChildItem -Path $profileListPath -ErrorAction SilentlyContinue
+
+            foreach ($profile in $profiles) {
+                $props = Get-ItemProperty -Path $profile.PSPath -ErrorAction SilentlyContinue
+
+                if ($props.ProfileImagePath) {
+                    $sid = $profile.PSChildName
+
+                    # Try to resolve SID to username
+                    try {
+                        $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
+                        $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
+                        $username = $objUser.Value
+                    } catch {
+                        $username = "Unknown"
+                    }
+
+                    Write-Host "`n$username" -ForegroundColor Green
+                    Write-Host "  Profile Path: $($props.ProfileImagePath)" -ForegroundColor Cyan
+
+                    if ($Mode -eq "full") {
+                        Write-Host "  SID: $sid" -ForegroundColor Gray
+
+                        if ($props.LocalProfileLoadTimeHigh -and $props.LocalProfileLoadTimeLow) {
+                            $loadTime = [DateTime]::FromFileTime(([Int64]$props.LocalProfileLoadTimeHigh -shl 32) -bor $props.LocalProfileLoadTimeLow)
+                            Write-Host "  Profile Load Time: $($loadTime.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan
+                        }
+                    }
+                }
+            }
+        }
+    } catch {
+        Write-Host "Error reading profile list: $_" -ForegroundColor Red
+    }
+}
+
+# Currently Logged In Users
+Write-Host "`n--- Currently Logged In Users ---" -ForegroundColor Yellow
+try {
+    $loggedInUsers = quser 2>$null
+
+    if ($loggedInUsers) {
+        $loggedInUsers | ForEach-Object {
+            Write-Host $_ -ForegroundColor Green
+        }
+    } else {
+        # Alternative method using WMI
+        $sessions = Get-CimInstance -ClassName Win32_ComputerSystem
+        if ($sessions.UserName) {
+            Write-Host "$($sessions.UserName)" -ForegroundColor Green
+        } else {
+            Write-Host "No users currently logged in" -ForegroundColor Gray
+        }
+    }
+} catch {
+    Write-Host "Error getting logged in users: $_" -ForegroundColor Red
+}
+
+# Only show groups in full mode
+if ($Mode -eq "full") {
+    Write-Host "`n--- Local Groups ---" -ForegroundColor Yellow
+    try {
+        $groups = Get-LocalGroup
+
+        foreach ($group in $groups) {
+            Write-Host "`n$($group.Name)" -ForegroundColor Green
+            Write-Host "  Description: $($group.Description)" -ForegroundColor Cyan
+            Write-Host "  SID: $($group.SID)" -ForegroundColor Gray
+
+            # Get group members
+            try {
+                $members = Get-LocalGroupMember -Group $group.Name -ErrorAction SilentlyContinue
+                if ($members) {
+                    Write-Host "  Members:" -ForegroundColor Cyan
+                    foreach ($member in $members) {
+                        Write-Host "    - $($member.Name) ($($member.ObjectClass))" -ForegroundColor Yellow
+                    }
+                } else {
+                    Write-Host "  Members: None" -ForegroundColor Gray
+                }
+            } catch {
+                Write-Host "  Members: Unable to retrieve" -ForegroundColor Gray
+            }
+        }
+    } catch {
+        Write-Host "Error getting local groups: $_" -ForegroundColor Red
+    }
+}
+
+# Summary
+if ($Mode -ne "simple") {
+    Write-Host "`n=== Summary ===" -ForegroundColor Cyan
+    try {
+        $enabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq $true }).Count
+        $disabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq $false }).Count
+        $totalGroups = (Get-LocalGroup).Count
+
+        Write-Host "Enabled Users: $enabledUsers" -ForegroundColor Green
+        Write-Host "Disabled Users: $disabledUsers" -ForegroundColor Green
+        Write-Host "Total Groups: $totalGroups" -ForegroundColor Green
+    } catch {
+        Write-Host "Error generating summary" -ForegroundColor Red
+    }
+}