mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13 Commits 1 Branch 0 Tags
0307f2b4ebbb3708bc22ca2ae0cfd7b201643a92
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
mnerv 0307f2b4eb Fetch correct GPU info
2026-02-03 23:54:43 +01:00
windows
Fetch correct GPU info
2026-02-03 23:54:43 +01:00
.gitignore
Inital commit
2026-02-03 21:31:05 +01:00
README.md
Add typed URLs extraction with multi-profile support
2026-02-03 22:25:56 +01:00
TODO.md
Add startup and persistence analysis tools
2026-02-03 22:39:35 +01:00

README.md

artif

Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.

Built with my good friend Claude - digging through the digital past, one artifact at a time. 🔍

About

artif is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.

Windows

PowerShell Forensic Scripts

Scripts located in windows/ directory. Run as Administrator for full access.

Device & Storage Artifacts

  • Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
  • Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
  • Get-USBDevices.ps1 - All USB devices with VID/PID information
  • Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)

Network Artifacts

  • Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
  • Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)

User Activity Artifacts

  • Get-RecentDocs.ps1 - Recently opened documents from OpenSavePidlMRU
    • Supports -ShowAll or -MaxPerType N parameters
    • Parses PIDL binary data to extract file paths
  • Get-JumpLists.ps1 - Jump List artifacts per application
    • Shows automatic/custom destinations and recent LNK files
    • Smart app detection via content analysis
    • Supports -ShowAll or -MaxPerApp N parameters
  • Get-TypedURLs.ps1 - Manually typed URLs from browsers
    • IE (registry), Edge, Chrome, Chromium, Firefox
    • Shows typed counts and visit frequencies
    • Supports all browser profiles automatically
    • Requires sqlite3.exe for Chromium-based browsers

System Information

  • Get-Info.ps1 - Comprehensive system information (user, OS, network, disk, etc.)
  • Get-Users.ps1 - User account enumeration
    • -Mode simple - Just usernames (default)
    • -Mode detailed - Key info with last logon times
    • -Mode full - Complete details including groups and SIDs
  • winfetch.ps1 - System info display with ASCII art (fastfetch-inspired)
    • Windows 11 logo with ANSI colors
    • -Logo small for compact output

Developer & Security Artifacts

  • Get-SSHArtifacts.ps1 - SSH forensic artifacts
    • Known hosts with connection counts
    • SSH config, keys, authorized_keys
    • PuTTY sessions and OpenSSH server logs
    • Supports -ShowKeys to display public key contents

Usage Examples

# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1

# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed

Third-Party Forensic Tools

  • Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals
  • EnCase: Examines disk images for changes, mounted artifacts, and logs
  • FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries
  • X-Ways Forensics: Detailed hex-level analysis of drives and artifacts
  • Registry Explorer (Eric Zimmerman): Advanced registry analysis with PIDL parsing
  • RegRipper: Automated registry artifact extraction

Registry Locations

USB Storage

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Network History

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Mounted Devices

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Recent Documents (OpenSavePidlMRU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

User Profiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Roadmap

See TODO.md for planned forensic artifacts and scripts across Windows, Linux, and macOS.

License

This project is for educational and authorized security research purposes only.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 91 KiB
Languages
PowerShell 100%