# Forensic

Digital Forensics, hidden information logged in files and systems and operating systems.

## Windows

### PowerShell Forensic Scripts

Scripts located in `windows/` directory. Run as Administrator for full access.

#### Device & Storage Artifacts
- **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key
- **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices
- **Get-USBDevices.ps1** - All USB devices with VID/PID information
- **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.)

#### Network Artifacts
- **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin)
- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin)

#### User Activity Artifacts
- **Get-RecentDocs.ps1** - Recently opened documents per user

### Tools

- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals.
- EnCase: Examines disk images for changes, mounted artifacts, and logs.
- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries.
- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts.

### Registry Locations

#### USB Storage
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`

#### Network History
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`

#### Mounted Devices
`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`

#### Recent Documents
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`

### Additional Resources

See `TODO.md` for planned forensic artifacts and scripts.