mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
878d19f9173282d0075db3803e8f8be64a5ac84c
artif/TODO.md
mnerv 878d19f917 Add Windows forensic artifact collection toolkit 
Add PowerShell scripts for collecting forensic artifacts:
- USB/storage devices, mounted drives, portable devices
- Network history and hotspot connections
- Recent documents (OpenSavePidlMRU with PIDL parsing)
- System info and user enumeration with multiple output modes

Includes TODO.md for planned artifacts and updated README.
2026-02-03 21:31:39 +01:00

68 lines
1.9 KiB
Markdown
Raw Blame History

# Forensic Artifacts TODO
## Windows Forensic Scripts
### Completed
- [x] USB Storage (USBSTOR)
- [x] Mounted Devices
- [x] USB Devices (VID/PID)
- [x] Portable Devices
- [x] Network Connection History
- [x] Hotspot Connections
- [x] Recent Documents (RecentDocs)
### User Activity Artifacts
- [ ] UserAssist - Programs run by user through Windows Explorer
- [ ] ShimCache (AppCompatCache) - Executable files that have been run
- [ ] AmCache - Program execution with file hashes and timestamps
- [ ] Jump Lists - Recently accessed files per application
- [ ] Prefetch files - Program execution history with run counts
- [ ] BAM/DAM - Background Activity Moderator (program execution timestamps)
### Browser & Search History
- [ ] Browser history - Edge, Chrome, Firefox artifacts
- [ ] Typed URLs - URLs manually typed in browsers
- [ ] Search terms - Windows Search history
### File Access
- [ ] LNK files - Shortcut files showing file access
- [ ] Recycle Bin - Deleted files
- [ ] Shell Bags - Folder access history
### System Information
- [ ] Computer name - System identification
- [ ] Timezone - System timezone settings
- [ ] Last shutdown time
- [ ] Installed programs - Software inventory
- [ ] System uptime history
### Persistence Mechanisms
- [ ] Run/RunOnce keys - Programs that auto-start
- [ ] Scheduled tasks
- [ ] Services
- [ ] Startup folder contents
### Network Artifacts
- [ ] DNS Cache
- [ ] Network shares accessed
- [ ] VPN connections
- [ ] Remote Desktop connections
## Other Operating Systems
### Linux
- [ ] User login history
- [ ] Command history (bash, zsh)
- [ ] Systemd journal logs
- [ ] Package installation history
- [ ] Cron jobs
- [ ] SSH keys and known hosts
### macOS
- [ ] Unified logs (log show)
- [ ] LaunchAgents/LaunchDaemons
- [ ] Spotlight metadata
- [ ] FSEvents (file system events)
- [ ] Login/logout history
- [ ] Keychain artifacts
Reference in New Issue View Git Blame Copy Permalink