mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags
22c13d46336c198f4bbffb647ef5b244697c2b56
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

artif

Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.

Built with my good friend Claude - digging through the digital past, one artifact at a time. 🔍

About

artif is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.

Windows

PowerShell Forensic Scripts

Scripts located in windows/ directory. Run as Administrator for full access.

Device & Storage Artifacts

  • Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
  • Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
  • Get-USBDevices.ps1 - All USB devices with VID/PID information
  • Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)

Network Artifacts

  • Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
  • Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)

User Activity Artifacts

  • Get-RecentDocs.ps1 - Recently opened documents from OpenSavePidlMRU
    • Supports -ShowAll or -MaxPerType N parameters
    • Parses PIDL binary data to extract file paths

System Information

  • Get-Info.ps1 - Comprehensive system information (user, OS, network, disk, etc.)
  • Get-Users.ps1 - User account enumeration
    • -Mode simple - Just usernames (default)
    • -Mode detailed - Key info with last logon times
    • -Mode full - Complete details including groups and SIDs

Usage Examples

# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1

# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed

Third-Party Forensic Tools

  • Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals
  • EnCase: Examines disk images for changes, mounted artifacts, and logs
  • FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries
  • X-Ways Forensics: Detailed hex-level analysis of drives and artifacts
  • Registry Explorer (Eric Zimmerman): Advanced registry analysis with PIDL parsing
  • RegRipper: Automated registry artifact extraction

Registry Locations

USB Storage

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Network History

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Mounted Devices

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Recent Documents (OpenSavePidlMRU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

User Profiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Roadmap

See TODO.md for planned forensic artifacts and scripts across Windows, Linux, and macOS.

License

This project is for educational and authorized security research purposes only.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 91 KiB
Languages
PowerShell 100%