mnerv
878d19f917
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
1.9 KiB
1.9 KiB
Forensic Artifacts TODO
Windows Forensic Scripts
Completed
- USB Storage (USBSTOR)
- Mounted Devices
- USB Devices (VID/PID)
- Portable Devices
- Network Connection History
- Hotspot Connections
- Recent Documents (RecentDocs)
User Activity Artifacts
- UserAssist - Programs run by user through Windows Explorer
- ShimCache (AppCompatCache) - Executable files that have been run
- AmCache - Program execution with file hashes and timestamps
- Jump Lists - Recently accessed files per application
- Prefetch files - Program execution history with run counts
- BAM/DAM - Background Activity Moderator (program execution timestamps)
Browser & Search History
- Browser history - Edge, Chrome, Firefox artifacts
- Typed URLs - URLs manually typed in browsers
- Search terms - Windows Search history
File Access
- LNK files - Shortcut files showing file access
- Recycle Bin - Deleted files
- Shell Bags - Folder access history
System Information
- Computer name - System identification
- Timezone - System timezone settings
- Last shutdown time
- Installed programs - Software inventory
- System uptime history
Persistence Mechanisms
- Run/RunOnce keys - Programs that auto-start
- Scheduled tasks
- Services
- Startup folder contents
Network Artifacts
- DNS Cache
- Network shares accessed
- VPN connections
- Remote Desktop connections
Other Operating Systems
Linux
- User login history
- Command history (bash, zsh)
- Systemd journal logs
- Package installation history
- Cron jobs
- SSH keys and known hosts
macOS
- Unified logs (log show)
- LaunchAgents/LaunchDaemons
- Spotlight metadata
- FSEvents (file system events)
- Login/logout history
- Keychain artifacts