# artif Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems. ## About **artif** is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations. ## Windows ### PowerShell Forensic Scripts Scripts located in `windows/` directory. Run as Administrator for full access. #### Device & Storage Artifacts - **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key - **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices - **Get-USBDevices.ps1** - All USB devices with VID/PID information - **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.) #### Network Artifacts - **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin) - **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin) #### User Activity Artifacts - **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU - Supports `-ShowAll` or `-MaxPerType N` parameters - Parses PIDL binary data to extract file paths #### System Information - **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.) - **Get-Users.ps1** - User account enumeration - `-Mode simple` - Just usernames (default) - `-Mode detailed` - Key info with last logon times - `-Mode full` - Complete details including groups and SIDs ### Usage Examples ```powershell # Simple usage .\windows\Get-USBStorage.ps1 .\windows\Get-Users.ps1 # With parameters .\windows\Get-RecentDocs.ps1 -ShowAll .\windows\Get-Users.ps1 -Mode detailed ``` ### Third-Party Forensic Tools - **Autopsy/The Sleuth Kit**: Analyzes file systems, MFT entries, timestamps, and journals - **EnCase**: Examines disk images for changes, mounted artifacts, and logs - **FTK (Forensic Toolkit)**: Scans for file modifications and USB-related registry entries - **X-Ways Forensics**: Detailed hex-level analysis of drives and artifacts - **Registry Explorer** (Eric Zimmerman): Advanced registry analysis with PIDL parsing - **RegRipper**: Automated registry artifact extraction ### Registry Locations #### USB Storage `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR` #### Network History `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles` #### Mounted Devices `HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices` #### Recent Documents (OpenSavePidlMRU) `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU` #### User Profiles `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` ## Roadmap See `TODO.md` for planned forensic artifacts and scripts across Windows, Linux, and macOS. ## License This project is for educational and authorized security research purposes only.