mnerv
ce250b9725
Extract Windows Search queries, typed paths, and Run dialog history from registry (WordWheelQuery, TypedPaths, RunMRU). Includes warnings about Windows 11 limitations - modern search without Microsoft account doesn't persist history due to cloud-first design. Update TODO.md.
artif
Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.
Built with my good friend Claude - digging through the digital past, one artifact at a time. 🔍
About
artif is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.
Windows
PowerShell Forensic Scripts
Scripts located in windows/ directory. Run as Administrator for full access.
Device & Storage Artifacts
- Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
- Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
- Get-USBDevices.ps1 - All USB devices with VID/PID information
- Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)
Network Artifacts
- Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
- Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)
User Activity Artifacts
- Get-RecentDocs.ps1 - Recently opened documents from OpenSavePidlMRU
- Supports
-ShowAllor-MaxPerType Nparameters - Parses PIDL binary data to extract file paths
- Supports
- Get-JumpLists.ps1 - Jump List artifacts per application
- Shows automatic/custom destinations and recent LNK files
- Smart app detection via content analysis
- Supports
-ShowAllor-MaxPerApp Nparameters
- Get-TypedURLs.ps1 - Manually typed URLs from browsers
- IE (registry), Edge, Chrome, Chromium, Firefox
- Shows typed counts and visit frequencies
- Supports all browser profiles automatically
- Requires sqlite3.exe for Chromium-based browsers
System Information
- Get-Info.ps1 - Comprehensive system information (user, OS, network, disk, etc.)
- Get-Users.ps1 - User account enumeration
-Mode simple- Just usernames (default)-Mode detailed- Key info with last logon times-Mode full- Complete details including groups and SIDs
- winfetch.ps1 - System info display with ASCII art (fastfetch-inspired)
- Windows 11 logo with ANSI colors
-Logo smallfor compact output
Developer & Security Artifacts
- Get-SSHArtifacts.ps1 - SSH forensic artifacts
- Known hosts with connection counts
- SSH config, keys, authorized_keys
- PuTTY sessions and OpenSSH server logs
- Supports
-ShowKeysto display public key contents
Usage Examples
# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1
# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed
Third-Party Forensic Tools
- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals
- EnCase: Examines disk images for changes, mounted artifacts, and logs
- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries
- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts
- Registry Explorer (Eric Zimmerman): Advanced registry analysis with PIDL parsing
- RegRipper: Automated registry artifact extraction
Registry Locations
USB Storage
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Network History
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Mounted Devices
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Recent Documents (OpenSavePidlMRU)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
User Profiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Roadmap
See TODO.md for planned forensic artifacts and scripts across Windows, Linux, and macOS.
License
This project is for educational and authorized security research purposes only.