commit dc8a8483736c2f224943f5357bee712084da6a32 Author: mnerv <24420859+mnerv@users.noreply.github.com> Date: Tue Feb 3 21:31:05 2026 +0100 Inital commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e622d90 --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +# editor configs +.claude +.zed +.vscode + +# macOS +.DS_Store +.Trash + +# Windows +Thumbs.db diff --git a/README.md b/README.md new file mode 100644 index 0000000..0940d66 --- /dev/null +++ b/README.md @@ -0,0 +1,47 @@ +# Forensic + +Digital Forensics, hidden information logged in files and systems and operating systems. + +## Windows + +### PowerShell Forensic Scripts + +Scripts located in `windows/` directory. Run as Administrator for full access. + +#### Device & Storage Artifacts +- **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key +- **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices +- **Get-USBDevices.ps1** - All USB devices with VID/PID information +- **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.) + +#### Network Artifacts +- **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin) +- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin) + +#### User Activity Artifacts +- **Get-RecentDocs.ps1** - Recently opened documents per user + +### Tools + +- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals. +- EnCase: Examines disk images for changes, mounted artifacts, and logs. +- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries. +- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts. + +### Registry Locations + +#### USB Storage +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR` + +#### Network History +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles` + +#### Mounted Devices +`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices` + +#### Recent Documents +`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` + +### Additional Resources + +See `TODO.md` for planned forensic artifacts and scripts.