mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0307f2b4ebbb3708bc22ca2ae0cfd7b201643a92
artif/TODO.md
mnerv ed0c1983b3 Add startup and persistence analysis tools 
Add Get-AutoRun.ps1, Get-ScheduledTasks.ps1, and Get-Services.ps1
for analyzing auto-start programs and persistence mechanisms.

Get-AutoRun: Run/RunOnce keys, Startup folders, startup tasks
Get-ScheduledTasks: Detailed task analysis with filters
Get-Services: Service enumeration using WMI/CIM

Uses Get-CimInstance for reliable service enumeration, avoiding
Get-Service permission issues. Multiple filters and output modes.

Update TODO.md.
2026-02-03 22:39:35 +01:00

2.9 KiB
Raw Blame History

Forensic Artifacts TODO

Windows Forensic Scripts

Completed

  • USB Storage (USBSTOR)
  • Mounted Devices
  • USB Devices (VID/PID)
  • Portable Devices
  • Network Connection History
  • Hotspot Connections
  • Recent Documents (RecentDocs)
  • System Information (Get-Info.ps1)
  • User Accounts (Get-Users.ps1)
  • SSH sessions and known hosts

User Activity Artifacts

  • UserAssist - Programs run by user through Windows Explorer
  • ShimCache (AppCompatCache) - Executable files that have been run
  • AmCache - Program execution with file hashes and timestamps
  • Jump Lists - Recently accessed files per application
  • Prefetch files - Program execution history with run counts
  • BAM/DAM - Background Activity Moderator (program execution timestamps)

Browser & Search History

  • Browser history - Edge, Chrome, Firefox artifacts
  • Typed URLs - URLs manually typed in browsers
  • Search terms - Windows Search history (Get-SearchHistory.ps1)

File Access

  • LNK files - Shortcut files showing file access
  • Recycle Bin - Deleted files
  • Shell Bags - Folder access history

System Information

  • Computer name - System identification (Get-Info.ps1, winfetch.ps1)
  • Timezone - System timezone settings (Get-Info.ps1)
  • Last shutdown time (Get-Info.ps1 - shows Last Boot)
  • Installed programs - Software inventory
  • System uptime history (Get-Info.ps1, winfetch.ps1)

Persistence Mechanisms

  • Run/RunOnce keys - Programs that auto-start (Get-AutoRun.ps1)
  • Scheduled tasks (Get-ScheduledTasks.ps1)
  • Services (Get-Services.ps1)
  • Startup folder contents (Get-AutoRun.ps1)

Network Artifacts

  • DNS Cache
  • Network shares accessed
  • VPN connections
  • Remote Desktop connections

Developer & Security Artifacts

  • SSH sessions and known hosts
  • Git repositories and commit history
  • WSL (Windows Subsystem for Linux) artifacts
  • PowerShell history (ConsoleHost_history.txt)
  • Terminal/Command Prompt history
  • Docker containers and images
  • Virtual machines (VirtualBox, VMware, Hyper-V)
  • IDE recent projects (VS Code, Visual Studio, JetBrains)
  • Package manager caches (npm, pip, cargo, nuget)
  • Environment variables and PATH modifications
  • Installed development tools and SDKs
  • Code signing certificates
  • API keys and tokens in config files

Other Operating Systems

Linux

  • User login history
  • Command history (bash, zsh)
  • Systemd journal logs
  • Package installation history
  • Cron jobs
  • SSH keys and known hosts

macOS

  • Unified logs (log show)
  • LaunchAgents/LaunchDaemons
  • Spotlight metadata
  • FSEvents (file system events)
  • Login/logout history
  • Keychain artifacts
Reference in New Issue View Git Blame Copy Permalink