mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dcebc0f4fa8c39802956bb63f4833b4d6175b390
artif/TODO.md
mnerv dcebc0f4fa Add SSH artifacts collection (Get-SSHArtifacts.ps1) 
Collect SSH forensic data: known hosts with counts, SSH config,
keys, authorized_keys, PuTTY sessions, and server logs.

Update TODO.md with completed scripts.
2026-02-03 21:48:51 +01:00

2.7 KiB
Raw Blame History

Forensic Artifacts TODO

Windows Forensic Scripts

Completed

  • USB Storage (USBSTOR)
  • Mounted Devices
  • USB Devices (VID/PID)
  • Portable Devices
  • Network Connection History
  • Hotspot Connections
  • Recent Documents (RecentDocs)
  • System Information (Get-Info.ps1)
  • User Accounts (Get-Users.ps1)
  • SSH sessions and known hosts

User Activity Artifacts

  • UserAssist - Programs run by user through Windows Explorer
  • ShimCache (AppCompatCache) - Executable files that have been run
  • AmCache - Program execution with file hashes and timestamps
  • Jump Lists - Recently accessed files per application
  • Prefetch files - Program execution history with run counts
  • BAM/DAM - Background Activity Moderator (program execution timestamps)

Browser & Search History

  • Browser history - Edge, Chrome, Firefox artifacts
  • Typed URLs - URLs manually typed in browsers
  • Search terms - Windows Search history

File Access

  • LNK files - Shortcut files showing file access
  • Recycle Bin - Deleted files
  • Shell Bags - Folder access history

System Information

  • Computer name - System identification
  • Timezone - System timezone settings
  • Last shutdown time
  • Installed programs - Software inventory
  • System uptime history

Persistence Mechanisms

  • Run/RunOnce keys - Programs that auto-start
  • Scheduled tasks
  • Services
  • Startup folder contents

Network Artifacts

  • DNS Cache
  • Network shares accessed
  • VPN connections
  • Remote Desktop connections

Developer & Security Artifacts

  • SSH sessions and known hosts
  • Git repositories and commit history
  • WSL (Windows Subsystem for Linux) artifacts
  • PowerShell history (ConsoleHost_history.txt)
  • Terminal/Command Prompt history
  • Docker containers and images
  • Virtual machines (VirtualBox, VMware, Hyper-V)
  • IDE recent projects (VS Code, Visual Studio, JetBrains)
  • Package manager caches (npm, pip, cargo, nuget)
  • Environment variables and PATH modifications
  • Installed development tools and SDKs
  • Code signing certificates
  • API keys and tokens in config files

Other Operating Systems

Linux

  • User login history
  • Command history (bash, zsh)
  • Systemd journal logs
  • Package installation history
  • Cron jobs
  • SSH keys and known hosts

macOS

  • Unified logs (log show)
  • LaunchAgents/LaunchDaemons
  • Spotlight metadata
  • FSEvents (file system events)
  • Login/logout history
  • Keychain artifacts
Reference in New Issue View Git Blame Copy Permalink