84 lines
3.1 KiB
Markdown
84 lines
3.1 KiB
Markdown
# artif
|
|
|
|
Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.
|
|
|
|
*Built with my good friend Claude - digging through the digital past, one artifact at a time.* 🔍
|
|
|
|
## About
|
|
|
|
**artif** is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.
|
|
|
|
## Windows
|
|
|
|
### PowerShell Forensic Scripts
|
|
|
|
Scripts located in `windows/` directory. Run as Administrator for full access.
|
|
|
|
#### Device & Storage Artifacts
|
|
- **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key
|
|
- **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices
|
|
- **Get-USBDevices.ps1** - All USB devices with VID/PID information
|
|
- **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.)
|
|
|
|
#### Network Artifacts
|
|
- **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin)
|
|
- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin)
|
|
|
|
#### User Activity Artifacts
|
|
- **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU
|
|
- Supports `-ShowAll` or `-MaxPerType N` parameters
|
|
- Parses PIDL binary data to extract file paths
|
|
|
|
#### System Information
|
|
- **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.)
|
|
- **Get-Users.ps1** - User account enumeration
|
|
- `-Mode simple` - Just usernames (default)
|
|
- `-Mode detailed` - Key info with last logon times
|
|
- `-Mode full` - Complete details including groups and SIDs
|
|
|
|
### Usage Examples
|
|
|
|
```powershell
|
|
# Simple usage
|
|
.\windows\Get-USBStorage.ps1
|
|
.\windows\Get-Users.ps1
|
|
|
|
# With parameters
|
|
.\windows\Get-RecentDocs.ps1 -ShowAll
|
|
.\windows\Get-Users.ps1 -Mode detailed
|
|
```
|
|
|
|
### Third-Party Forensic Tools
|
|
|
|
- **Autopsy/The Sleuth Kit**: Analyzes file systems, MFT entries, timestamps, and journals
|
|
- **EnCase**: Examines disk images for changes, mounted artifacts, and logs
|
|
- **FTK (Forensic Toolkit)**: Scans for file modifications and USB-related registry entries
|
|
- **X-Ways Forensics**: Detailed hex-level analysis of drives and artifacts
|
|
- **Registry Explorer** (Eric Zimmerman): Advanced registry analysis with PIDL parsing
|
|
- **RegRipper**: Automated registry artifact extraction
|
|
|
|
### Registry Locations
|
|
|
|
#### USB Storage
|
|
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`
|
|
|
|
#### Network History
|
|
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`
|
|
|
|
#### Mounted Devices
|
|
`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`
|
|
|
|
#### Recent Documents (OpenSavePidlMRU)
|
|
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`
|
|
|
|
#### User Profiles
|
|
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`
|
|
|
|
## Roadmap
|
|
|
|
See `TODO.md` for planned forensic artifacts and scripts across Windows, Linux, and macOS.
|
|
|
|
## License
|
|
|
|
This project is for educational and authorized security research purposes only.
|