mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca296447f3e5ef60871852bbb9faa9bf92b7ac56
artif/README.md

3.0 KiB
Raw Blame History

artif

Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.

About

artif is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.

Windows

PowerShell Forensic Scripts

Scripts located in windows/ directory. Run as Administrator for full access.

Device & Storage Artifacts

  • Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
  • Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
  • Get-USBDevices.ps1 - All USB devices with VID/PID information
  • Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)

Network Artifacts

  • Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
  • Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)

User Activity Artifacts

  • Get-RecentDocs.ps1 - Recently opened documents from OpenSavePidlMRU
    • Supports -ShowAll or -MaxPerType N parameters
    • Parses PIDL binary data to extract file paths

System Information

  • Get-Info.ps1 - Comprehensive system information (user, OS, network, disk, etc.)
  • Get-Users.ps1 - User account enumeration
    • -Mode simple - Just usernames (default)
    • -Mode detailed - Key info with last logon times
    • -Mode full - Complete details including groups and SIDs

Usage Examples

# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1

# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed

Third-Party Forensic Tools

  • Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals
  • EnCase: Examines disk images for changes, mounted artifacts, and logs
  • FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries
  • X-Ways Forensics: Detailed hex-level analysis of drives and artifacts
  • Registry Explorer (Eric Zimmerman): Advanced registry analysis with PIDL parsing
  • RegRipper: Automated registry artifact extraction

Registry Locations

USB Storage

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Network History

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Mounted Devices

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Recent Documents (OpenSavePidlMRU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

User Profiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Roadmap

See TODO.md for planned forensic artifacts and scripts across Windows, Linux, and macOS.

License

This project is for educational and authorized security research purposes only.

Reference in New Issue View Git Blame Copy Permalink