artif/README.md

# artif

Digital forensics artifact collection toolkit - uncover hidden information logged in files, systems, and operating systems.

*Built with my good friend Claude - digging through the digital past, one artifact at a time.* 🔍

## About

**artif** is a collection of forensic artifact extraction scripts designed to help investigators, security researchers, and system administrators uncover digital traces left behind by user activity and system operations.

## Windows

### PowerShell Forensic Scripts

Scripts located in `windows/` directory. Run as Administrator for full access.

#### Device & Storage Artifacts
- **Get-USBStorage.ps1** - USB storage devices from USBSTOR registry key
- **Get-MountedDevices.ps1** - Drive letter mappings and mounted devices
- **Get-USBDevices.ps1** - All USB devices with VID/PID information
- **Get-PortableDevices.ps1** - Portable devices (phones, cameras, etc.)

#### Network Artifacts
- **Get-NetworkHistory.ps1** - Network connection history and profiles (requires admin)
- **Get-HotspotConnections.ps1** - Windows Mobile Hotspot connection artifacts (requires admin)

#### User Activity Artifacts
- **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU
  - Supports `-ShowAll` or `-MaxPerType N` parameters
  - Parses PIDL binary data to extract file paths
- **Get-JumpLists.ps1** - Jump List artifacts per application
  - Shows automatic/custom destinations and recent LNK files
  - Smart app detection via content analysis
  - Supports `-ShowAll` or `-MaxPerApp N` parameters
- **Get-TypedURLs.ps1** - Manually typed URLs from browsers
  - IE (registry), Edge, Chrome, Chromium, Firefox
  - Shows typed counts and visit frequencies
  - Supports all browser profiles automatically
  - Requires sqlite3.exe for Chromium-based browsers

#### System Information
- **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.)
- **Get-Users.ps1** - User account enumeration
  - `-Mode simple` - Just usernames (default)
  - `-Mode detailed` - Key info with last logon times
  - `-Mode full` - Complete details including groups and SIDs
- **winfetch.ps1** - System info display with ASCII art (fastfetch-inspired)
  - Windows 11 logo with ANSI colors
  - `-Logo small` for compact output
  
#### Developer & Security Artifacts
- **Get-SSHArtifacts.ps1** - SSH forensic artifacts
  - Known hosts with connection counts
  - SSH config, keys, authorized_keys
  - PuTTY sessions and OpenSSH server logs
  - Supports `-ShowKeys` to display public key contents

### Usage Examples

```powershell
# Simple usage
.\windows\Get-USBStorage.ps1
.\windows\Get-Users.ps1

# With parameters
.\windows\Get-RecentDocs.ps1 -ShowAll
.\windows\Get-Users.ps1 -Mode detailed
```

### Third-Party Forensic Tools

- **Autopsy/The Sleuth Kit**: Analyzes file systems, MFT entries, timestamps, and journals
- **EnCase**: Examines disk images for changes, mounted artifacts, and logs
- **FTK (Forensic Toolkit)**: Scans for file modifications and USB-related registry entries
- **X-Ways Forensics**: Detailed hex-level analysis of drives and artifacts
- **Registry Explorer** (Eric Zimmerman): Advanced registry analysis with PIDL parsing
- **RegRipper**: Automated registry artifact extraction

### Registry Locations

#### USB Storage
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`

#### Network History
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`

#### Mounted Devices
`HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`

#### Recent Documents (OpenSavePidlMRU)
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`

#### User Profiles
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`

## Roadmap

See `TODO.md` for planned forensic artifacts and scripts across Windows, Linux, and macOS.

## License

This project is for educational and authorized security research purposes only.