mnerv
aa4e6fa88f
Add Get-TypedURLs.ps1 for browser typed URL forensics: - IE (registry), Edge, Chrome, Chromium (all profiles), Firefox - Auto-detects all browser profiles (Default, Profile 1, 2, etc.) - Shows typed counts and visit frequencies - Proper DB locking/cleanup with finally blocks - Requires sqlite3.exe for Chromium-based browsers Update README.md and TODO.md with recent scripts.
86 lines
2.7 KiB
Markdown
86 lines
2.7 KiB
Markdown
# Forensic Artifacts TODO
|
|
|
|
## Windows Forensic Scripts
|
|
|
|
### Completed
|
|
- [x] USB Storage (USBSTOR)
|
|
- [x] Mounted Devices
|
|
- [x] USB Devices (VID/PID)
|
|
- [x] Portable Devices
|
|
- [x] Network Connection History
|
|
- [x] Hotspot Connections
|
|
- [x] Recent Documents (RecentDocs)
|
|
- [x] System Information (Get-Info.ps1)
|
|
- [x] User Accounts (Get-Users.ps1)
|
|
- [x] SSH sessions and known hosts
|
|
|
|
### User Activity Artifacts
|
|
- [ ] UserAssist - Programs run by user through Windows Explorer
|
|
- [ ] ShimCache (AppCompatCache) - Executable files that have been run
|
|
- [ ] AmCache - Program execution with file hashes and timestamps
|
|
- [x] Jump Lists - Recently accessed files per application
|
|
- [ ] Prefetch files - Program execution history with run counts
|
|
- [ ] BAM/DAM - Background Activity Moderator (program execution timestamps)
|
|
|
|
### Browser & Search History
|
|
- [ ] Browser history - Edge, Chrome, Firefox artifacts
|
|
- [x] Typed URLs - URLs manually typed in browsers
|
|
- [ ] Search terms - Windows Search history
|
|
|
|
### File Access
|
|
- [ ] LNK files - Shortcut files showing file access
|
|
- [ ] Recycle Bin - Deleted files
|
|
- [ ] Shell Bags - Folder access history
|
|
|
|
### System Information
|
|
- [ ] Computer name - System identification
|
|
- [ ] Timezone - System timezone settings
|
|
- [ ] Last shutdown time
|
|
- [ ] Installed programs - Software inventory
|
|
- [ ] System uptime history
|
|
|
|
### Persistence Mechanisms
|
|
- [ ] Run/RunOnce keys - Programs that auto-start
|
|
- [ ] Scheduled tasks
|
|
- [ ] Services
|
|
- [ ] Startup folder contents
|
|
|
|
### Network Artifacts
|
|
- [ ] DNS Cache
|
|
- [ ] Network shares accessed
|
|
- [ ] VPN connections
|
|
- [ ] Remote Desktop connections
|
|
|
|
### Developer & Security Artifacts
|
|
- [x] SSH sessions and known hosts
|
|
- [ ] Git repositories and commit history
|
|
- [ ] WSL (Windows Subsystem for Linux) artifacts
|
|
- [ ] PowerShell history (ConsoleHost_history.txt)
|
|
- [ ] Terminal/Command Prompt history
|
|
- [ ] Docker containers and images
|
|
- [ ] Virtual machines (VirtualBox, VMware, Hyper-V)
|
|
- [ ] IDE recent projects (VS Code, Visual Studio, JetBrains)
|
|
- [ ] Package manager caches (npm, pip, cargo, nuget)
|
|
- [ ] Environment variables and PATH modifications
|
|
- [ ] Installed development tools and SDKs
|
|
- [ ] Code signing certificates
|
|
- [ ] API keys and tokens in config files
|
|
|
|
## Other Operating Systems
|
|
|
|
### Linux
|
|
- [ ] User login history
|
|
- [ ] Command history (bash, zsh)
|
|
- [ ] Systemd journal logs
|
|
- [ ] Package installation history
|
|
- [ ] Cron jobs
|
|
- [ ] SSH keys and known hosts
|
|
|
|
### macOS
|
|
- [ ] Unified logs (log show)
|
|
- [ ] LaunchAgents/LaunchDaemons
|
|
- [ ] Spotlight metadata
|
|
- [ ] FSEvents (file system events)
|
|
- [ ] Login/logout history
|
|
- [ ] Keychain artifacts
|