mnerv
878d19f917
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
37 lines
1.4 KiB
PowerShell
37 lines
1.4 KiB
PowerShell
# Get-USBDevices.ps1
|
|
# Lists all USB devices with vendor/product IDs
|
|
|
|
Write-Host "`n=== USB Devices ===" -ForegroundColor Cyan
|
|
Write-Host "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB`n"
|
|
|
|
try {
|
|
$usb = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USB" -ErrorAction SilentlyContinue
|
|
if ($usb) {
|
|
foreach ($device in $usb) {
|
|
if ($device.PSChildName -match "VID_|vid_") {
|
|
$instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
|
|
$hasDevice = $false
|
|
|
|
foreach ($instance in $instances) {
|
|
$props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
|
|
if ($props.DeviceDesc) {
|
|
if (-not $hasDevice) {
|
|
Write-Host "$($device.PSChildName)" -ForegroundColor Yellow
|
|
$hasDevice = $true
|
|
}
|
|
# Clean up device description - extract text after semicolon if present
|
|
$desc = $props.DeviceDesc
|
|
if ($desc -match ';(.+)$') {
|
|
$desc = $matches[1]
|
|
}
|
|
Write-Host " $desc"
|
|
}
|
|
}
|
|
if ($hasDevice) { Write-Host "" }
|
|
}
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "Error: $_" -ForegroundColor Red
|
|
}
|