Forensic
Digital Forensics, hidden information logged in files and systems and operating systems.
Windows
PowerShell Forensic Scripts
Scripts located in windows/ directory. Run as Administrator for full access.
Device & Storage Artifacts
- Get-USBStorage.ps1 - USB storage devices from USBSTOR registry key
- Get-MountedDevices.ps1 - Drive letter mappings and mounted devices
- Get-USBDevices.ps1 - All USB devices with VID/PID information
- Get-PortableDevices.ps1 - Portable devices (phones, cameras, etc.)
Network Artifacts
- Get-NetworkHistory.ps1 - Network connection history and profiles (requires admin)
- Get-HotspotConnections.ps1 - Windows Mobile Hotspot connection artifacts (requires admin)
User Activity Artifacts
- Get-RecentDocs.ps1 - Recently opened documents per user
Tools
- Autopsy/The Sleuth Kit: Analyzes file systems, MFT entries, timestamps, and journals.
- EnCase: Examines disk images for changes, mounted artifacts, and logs.
- FTK (Forensic Toolkit): Scans for file modifications and USB-related registry entries.
- X-Ways Forensics: Detailed hex-level analysis of drives and artifacts.
Registry Locations
USB Storage
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Network History
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Mounted Devices
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Recent Documents
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Additional Resources
See TODO.md for planned forensic artifacts and scripts.