mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md change name to artif

Browse Source
This commit is contained in:
mnerv
2026-02-03 21:33:48 +01:00
parent 878d19f917
commit ca296447f3
1 changed files with 46 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
README.md
View File

@@ -1,6 +1,10 @@
# Forensic
# artif
Digital Forensics, hidden information logged in files and systems and operating systems.
Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.
## About
**artif** is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.
## Windows
@@ -19,14 +23,37 @@ Scripts located in `windows/` directory. Run as Administrator for full access.
- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin)
#### User Activity Artifacts
- **Get-RecentDocs.ps1** - Recently opened documents per user
- **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU
- Supports `-ShowAll` or `-MaxPerType N` parameters
- Parses PIDL binary data to extract file paths
### Tools
#### System Information
- **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.)
- **Get-Users.ps1** - User account enumeration
- `-Mode simple` - Just usernames (default)
- `-Mode detailed` - Key info with last logon times
- `-Mode full` - Complete details including groups and SIDs
- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals.
- EnCase: Examines disk images for changes, mounted artifacts, and logs.
- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries.
- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts.
### Usage Examples
```powershell
# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1
# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed
```
### Third-Party Forensic Tools
- **Autopsy/The Sleuth Kit**: Analyzes file systems, MFT entries, timestamps, and journals
- **EnCase**: Examines disk images for changes, mounted artifacts, and logs
- **FTK (Forensic Toolkit)**: Scans for file modifications and USB-related registry entries
- **X-Ways Forensics**: Detailed hex-level analysis of drives and artifacts
- **Registry Explorer** (Eric Zimmerman): Advanced registry analysis with PIDL parsing
- **RegRipper**: Automated registry artifact extraction
### Registry Locations
@@ -39,9 +66,16 @@ Scripts located in `windows/` directory. Run as Administrator for full access.
#### Mounted Devices
`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`
#### Recent Documents
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
#### Recent Documents (OpenSavePidlMRU)
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`
### Additional Resources
#### User Profiles
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`
See `TODO.md` for planned forensic artifacts and scripts.
## Roadmap
See `TODO.md` for planned forensic artifacts and scripts across Windows, Linux, and macOS.
## License
This project is for educational and authorized security research purposes only.