mnerv
878d19f917
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
114 lines
4.6 KiB
PowerShell
114 lines
4.6 KiB
PowerShell
# Get-HotspotConnections.ps1
|
|
# Collects Windows Mobile Hotspot connection artifacts
|
|
|
|
# Check for admin privileges
|
|
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
|
|
|
|
if (-not $isAdmin) {
|
|
Write-Host "Error: This script requires Administrator privileges" -ForegroundColor Red
|
|
Write-Host "Please run PowerShell as Administrator and try again" -ForegroundColor Yellow
|
|
exit 1
|
|
}
|
|
|
|
Write-Host "=== Windows Mobile Hotspot Connection History ===" -ForegroundColor Cyan
|
|
Write-Host "Note: Windows does not maintain persistent logs of past hotspot clients"
|
|
Write-Host "Only event logs and currently connected devices can be retrieved`n"
|
|
|
|
# Get current hotspot status
|
|
Write-Host "--- Current Hotspot Status ---" -ForegroundColor Yellow
|
|
try {
|
|
$hostedNetwork = netsh wlan show hostednetwork 2>$null
|
|
if ($hostedNetwork) {
|
|
$hostedNetwork | Write-Host
|
|
}
|
|
} catch {
|
|
Write-Host "Error getting hosted network status" -ForegroundColor Red
|
|
}
|
|
|
|
# Get currently connected clients via ARP
|
|
Write-Host "`n--- Currently Connected Devices (ARP Cache) ---" -ForegroundColor Yellow
|
|
try {
|
|
$arp = Get-NetNeighbor -AddressFamily IPv4 -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.State -ne "Unreachable" -and $_.IPAddress -notmatch "^(224\.|239\.)" }
|
|
|
|
if ($arp) {
|
|
$arp | Select-Object IPAddress, LinkLayerAddress, State | Format-Table -AutoSize
|
|
} else {
|
|
Write-Host "No connected devices found in ARP cache" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing ARP cache: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Extract hotspot connection events from WLAN-AutoConfig log
|
|
Write-Host "`n--- Recent Hotspot Connection Events ---" -ForegroundColor Yellow
|
|
try {
|
|
# Event ID 20019 = Client connection to hotspot
|
|
# Event ID 20020 = Connection establishment confirmation
|
|
# Event ID 8005/8006 = Hotspot start/stop
|
|
$events = Get-WinEvent -FilterHashtable @{
|
|
LogName = "Microsoft-Windows-WLAN-AutoConfig/Operational"
|
|
ID = 8005, 8006, 20019, 20020
|
|
} -MaxEvents 50 -ErrorAction SilentlyContinue
|
|
|
|
if ($events) {
|
|
foreach ($event in $events) {
|
|
Write-Host "$($event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan -NoNewline
|
|
Write-Host " [ID:$($event.Id)]" -ForegroundColor Gray -NoNewline
|
|
|
|
# Extract relevant info from message
|
|
$msg = $event.Message
|
|
if ($msg -match "MAC Address: ([0-9A-Fa-f:-]+)") {
|
|
Write-Host " MAC: $($matches[1])" -ForegroundColor Yellow
|
|
} elseif ($msg -match "SSID: (.+)") {
|
|
Write-Host " SSID: $($matches[1])" -ForegroundColor Green
|
|
} else {
|
|
Write-Host ""
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No hotspot events found in logs" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing event logs: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Get wireless authentication events (Event ID 5632)
|
|
Write-Host "`n--- Wireless Authentication Events (Last 20) ---" -ForegroundColor Yellow
|
|
try {
|
|
$authEvents = Get-WinEvent -FilterHashtable @{
|
|
LogName = "Security"
|
|
ID = 5632
|
|
} -MaxEvents 20 -ErrorAction SilentlyContinue
|
|
|
|
if ($authEvents) {
|
|
foreach ($authEvent in $authEvents) {
|
|
Write-Host "$($authEvent.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan
|
|
if ($authEvent.Message -match "Peer MAC Address:\s+([0-9A-Fa-f:-]+)") {
|
|
Write-Host " Peer MAC: $($matches[1])" -ForegroundColor Yellow
|
|
}
|
|
}
|
|
} else {
|
|
Write-Host "No wireless authentication events found" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Security event log not accessible or no events found" -ForegroundColor Gray
|
|
}
|
|
|
|
# Get hosted network settings from registry
|
|
Write-Host "`n--- Hosted Network Registry Settings ---" -ForegroundColor Yellow
|
|
try {
|
|
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters\HostedNetworkSettings"
|
|
if (Test-Path $regPath) {
|
|
$props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
|
|
if ($props) {
|
|
Write-Host "Registry path exists with configuration data" -ForegroundColor Green
|
|
Write-Host "(Binary data - use registry editor for details)"
|
|
}
|
|
} else {
|
|
Write-Host "No hosted network settings found in registry" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host "Error accessing registry: $_" -ForegroundColor Red
|
|
}
|