mnerv
878d19f917
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
Forensic
Digital Forensics, hidden information logged in files and systems and operating systems.
Windows
PowerShell Forensic Scripts
Scripts located in windows/ directory. Run as Administrator for full access.
Device & Storage Artifacts
- Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
- Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
- Get-USBDevices.ps1 - All USB devices with VID/PID information
- Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)
Network Artifacts
- Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
- Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)
User Activity Artifacts
- Get-RecentDocs.ps1 - Recently opened documents per user
Tools
- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals.
- EnCase: Examines disk images for changes, mounted artifacts, and logs.
- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries.
- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts.
Registry Locations
USB Storage
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Network History
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Mounted Devices
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Recent Documents
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Additional Resources
See TODO.md for planned forensic artifacts and scripts.