mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ce250b9725b9496aa6c124677894f50799d825ec
artif/TODO.md
mnerv ce250b9725 feat: Add search history extraction (Get-SearchHistory.ps1) 
Extract Windows Search queries, typed paths, and Run dialog history
from registry (WordWheelQuery, TypedPaths, RunMRU).

Includes warnings about Windows 11 limitations - modern search without
Microsoft account doesn't persist history due to cloud-first design.

Update TODO.md.
2026-02-03 22:32:43 +01:00

2.8 KiB
Raw Blame History

Forensic Artifacts TODO

Windows Forensic Scripts

Completed

  • USB Storage (USBSTOR)
  • Mounted Devices
  • USB Devices (VID/PID)
  • Portable Devices
  • Network Connection History
  • Hotspot Connections
  • Recent Documents (RecentDocs)
  • System Information (Get-Info.ps1)
  • User Accounts (Get-Users.ps1)
  • SSH sessions and known hosts

User Activity Artifacts

  • UserAssist - Programs run by user through Windows Explorer
  • ShimCache (AppCompatCache) - Executable files that have been run
  • AmCache - Program execution with file hashes and timestamps
  • Jump Lists - Recently accessed files per application
  • Prefetch files - Program execution history with run counts
  • BAM/DAM - Background Activity Moderator (program execution timestamps)

Browser & Search History

  • Browser history - Edge, Chrome, Firefox artifacts
  • Typed URLs - URLs manually typed in browsers
  • Search terms - Windows Search history (Get-SearchHistory.ps1)

File Access

  • LNK files - Shortcut files showing file access
  • Recycle Bin - Deleted files
  • Shell Bags - Folder access history

System Information

  • Computer name - System identification (Get-Info.ps1, winfetch.ps1)
  • Timezone - System timezone settings (Get-Info.ps1)
  • Last shutdown time (Get-Info.ps1 - shows Last Boot)
  • Installed programs - Software inventory
  • System uptime history (Get-Info.ps1, winfetch.ps1)

Persistence Mechanisms

  • Run/RunOnce keys - Programs that auto-start
  • Scheduled tasks
  • Services
  • Startup folder contents

Network Artifacts

  • DNS Cache
  • Network shares accessed
  • VPN connections
  • Remote Desktop connections

Developer & Security Artifacts

  • SSH sessions and known hosts
  • Git repositories and commit history
  • WSL (Windows Subsystem for Linux) artifacts
  • PowerShell history (ConsoleHost_history.txt)
  • Terminal/Command Prompt history
  • Docker containers and images
  • Virtual machines (VirtualBox, VMware, Hyper-V)
  • IDE recent projects (VS Code, Visual Studio, JetBrains)
  • Package manager caches (npm, pip, cargo, nuget)
  • Environment variables and PATH modifications
  • Installed development tools and SDKs
  • Code signing certificates
  • API keys and tokens in config files

Other Operating Systems

Linux

  • User login history
  • Command history (bash, zsh)
  • Systemd journal logs
  • Package installation history
  • Cron jobs
  • SSH keys and known hosts

macOS

  • Unified logs (log show)
  • LaunchAgents/LaunchDaemons
  • Spotlight metadata
  • FSEvents (file system events)
  • Login/logout history
  • Keychain artifacts
Reference in New Issue View Git Blame Copy Permalink