# Forensic Artifacts TODO

## Windows Forensic Scripts

### Completed
- [x] USB Storage (USBSTOR)
- [x] Mounted Devices
- [x] USB Devices (VID/PID)
- [x] Portable Devices
- [x] Network Connection History
- [x] Hotspot Connections
- [x] Recent Documents (RecentDocs)
- [x] System Information (Get-Info.ps1)
- [x] User Accounts (Get-Users.ps1)
- [x] SSH sessions and known hosts

### User Activity Artifacts
- [ ] UserAssist - Programs run by user through Windows Explorer
- [ ] ShimCache (AppCompatCache) - Executable files that have been run
- [ ] AmCache - Program execution with file hashes and timestamps
- [x] Jump Lists - Recently accessed files per application
- [ ] Prefetch files - Program execution history with run counts
- [ ] BAM/DAM - Background Activity Moderator (program execution timestamps)

### Browser & Search History
- [ ] Browser history - Edge, Chrome, Firefox artifacts
- [x] Typed URLs - URLs manually typed in browsers
- [x] Search terms - Windows Search history (Get-SearchHistory.ps1)

### File Access
- [ ] LNK files - Shortcut files showing file access
- [ ] Recycle Bin - Deleted files
- [ ] Shell Bags - Folder access history

### System Information
- [x] Computer name - System identification (Get-Info.ps1, winfetch.ps1)
- [x] Timezone - System timezone settings (Get-Info.ps1)
- [x] Last shutdown time (Get-Info.ps1 - shows Last Boot)
- [ ] Installed programs - Software inventory
- [x] System uptime history (Get-Info.ps1, winfetch.ps1)

### Persistence Mechanisms
- [x] Run/RunOnce keys - Programs that auto-start (Get-AutoRun.ps1)
- [x] Scheduled tasks (Get-ScheduledTasks.ps1)
- [x] Services (Get-Services.ps1)
- [x] Startup folder contents (Get-AutoRun.ps1)

### Network Artifacts
- [ ] DNS Cache
- [ ] Network shares accessed
- [ ] VPN connections
- [ ] Remote Desktop connections

### Developer & Security Artifacts
- [x] SSH sessions and known hosts
- [ ] Git repositories and commit history
- [ ] WSL (Windows Subsystem for Linux) artifacts
- [ ] PowerShell history (ConsoleHost_history.txt)
- [ ] Terminal/Command Prompt history
- [ ] Docker containers and images
- [ ] Virtual machines (VirtualBox, VMware, Hyper-V)
- [ ] IDE recent projects (VS Code, Visual Studio, JetBrains)
- [ ] Package manager caches (npm, pip, cargo, nuget)
- [ ] Environment variables and PATH modifications
- [ ] Installed development tools and SDKs
- [ ] Code signing certificates
- [ ] API keys and tokens in config files

## Other Operating Systems

### Linux
- [ ] User login history
- [ ] Command history (bash, zsh)
- [ ] Systemd journal logs
- [ ] Package installation history
- [ ] Cron jobs
- [ ] SSH keys and known hosts

### macOS
- [ ] Unified logs (log show)
- [ ] LaunchAgents/LaunchDaemons
- [ ] Spotlight metadata
- [ ] FSEvents (file system events)
- [ ] Login/logout history
- [ ] Keychain artifacts