Inital commit

.gitignore

@@ -0,0 +1,11 @@
+# editor configs
+.claude
+.zed
+.vscode
+
+# macOS
+.DS_Store
+.Trash
+
+# Windows
+Thumbs.db

README.md

@@ -0,0 +1,47 @@
+# Forensic
+
+Digital Forensics, hidden information logged in files and systems and operating systems.
+
+## Windows
+
+### PowerShell Forensic Scripts
+
+Scripts located in `windows/` directory. Run as Administrator for full access.
+
+#### Device & Storage Artifacts
+- **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key
+- **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices
+- **Get-USBDevices.ps1** - All USB devices with VID/PID information
+- **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.)
+
+#### Network Artifacts
+- **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin)
+- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin)
+
+#### User Activity Artifacts
+- **Get-RecentDocs.ps1** - Recently opened documents per user
+
+### Tools
+
+- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals.
+- EnCase: Examines disk images for changes, mounted artifacts, and logs.
+- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries.
+- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts.
+
+### Registry Locations
+
+#### USB Storage
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`
+
+#### Network History
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`
+
+#### Mounted Devices
+`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`
+
+#### Recent Documents
+`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
+
+### Additional Resources
+
+See `TODO.md` for planned forensic artifacts and scripts.