mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b910a65f36b8207d74a2e92cdfc3ca42c9d66f3
artif/TODO.md
mnerv 9b910a65f3 feat: Add search history extraction (Get-SearchHistory.ps1) 
Extract Windows Search queries, typed paths, and Run dialog history
from registry (WordWheelQuery, TypedPaths, RunMRU).

Includes warnings about Windows 11 limitations - modern search without
Microsoft account doesn't persist history due to cloud-first design.

Update TODO.md.
2026-02-03 22:31:39 +01:00

86 lines
2.7 KiB
Markdown
Raw Blame History

# Forensic Artifacts TODO
## Windows Forensic Scripts
### Completed
- [x] USB Storage (USBSTOR)
- [x] Mounted Devices
- [x] USB Devices (VID/PID)
- [x] Portable Devices
- [x] Network Connection History
- [x] Hotspot Connections
- [x] Recent Documents (RecentDocs)
- [x] System Information (Get-Info.ps1)
- [x] User Accounts (Get-Users.ps1)
- [x] SSH sessions and known hosts
### User Activity Artifacts
- [ ] UserAssist - Programs run by user through Windows Explorer
- [ ] ShimCache (AppCompatCache) - Executable files that have been run
- [ ] AmCache - Program execution with file hashes and timestamps
- [x] Jump Lists - Recently accessed files per application
- [ ] Prefetch files - Program execution history with run counts
- [ ] BAM/DAM - Background Activity Moderator (program execution timestamps)
### Browser & Search History
- [ ] Browser history - Edge, Chrome, Firefox artifacts
- [x] Typed URLs - URLs manually typed in browsers
- [x] Search terms - Windows Search history
### File Access
- [ ] LNK files - Shortcut files showing file access
- [ ] Recycle Bin - Deleted files
- [ ] Shell Bags - Folder access history
### System Information
- [ ] Computer name - System identification
- [ ] Timezone - System timezone settings
- [ ] Last shutdown time
- [ ] Installed programs - Software inventory
- [ ] System uptime history
### Persistence Mechanisms
- [ ] Run/RunOnce keys - Programs that auto-start
- [ ] Scheduled tasks
- [ ] Services
- [ ] Startup folder contents
### Network Artifacts
- [ ] DNS Cache
- [ ] Network shares accessed
- [ ] VPN connections
- [ ] Remote Desktop connections
### Developer & Security Artifacts
- [x] SSH sessions and known hosts
- [ ] Git repositories and commit history
- [ ] WSL (Windows Subsystem for Linux) artifacts
- [ ] PowerShell history (ConsoleHost_history.txt)
- [ ] Terminal/Command Prompt history
- [ ] Docker containers and images
- [ ] Virtual machines (VirtualBox, VMware, Hyper-V)
- [ ] IDE recent projects (VS Code, Visual Studio, JetBrains)
- [ ] Package manager caches (npm, pip, cargo, nuget)
- [ ] Environment variables and PATH modifications
- [ ] Installed development tools and SDKs
- [ ] Code signing certificates
- [ ] API keys and tokens in config files
## Other Operating Systems
### Linux
- [ ] User login history
- [ ] Command history (bash, zsh)
- [ ] Systemd journal logs
- [ ] Package installation history
- [ ] Cron jobs
- [ ] SSH keys and known hosts
### macOS
- [ ] Unified logs (log show)
- [ ] LaunchAgents/LaunchDaemons
- [ ] Spotlight metadata
- [ ] FSEvents (file system events)
- [ ] Login/logout history
- [ ] Keychain artifacts
Reference in New Issue View Git Blame Copy Permalink