PS-WindowsForensics is a PowerShell scripts for parsing forensic artifacts in the Windows operating system.

PS-WindowsForensics is a PowerShell scripts for parsing forensic artifacts in the Windows operating system.

PS-WindowsForensics is a PowerShell scripts for parsing forensic artifacts in the Windows operating system.

Scripts:
Full Version                                                Lite Version (for Kansa or Invoke-LiveResponse)
Invoke-AppCompatCacheParser.ps1    Get-AppCompatCache.ps1
Invoke-JavaCacheParser.ps1                 Get-JavaCache.ps1
Invoke-PrefetchParser.ps1                     Get-Prefetch.ps1

Get-PartitionTable

Get-PartitionTable

Goals:
1. Provide scripts that can be run on Windows systems without requiring any additional software download/installation
2. Provide scripts that can be run against live Windows systems
3. Provide scripts that can be run against most Windows systems
— PowerShell Version 3 if possible
— Lowest version of .NET possible, but most everything I find has at least 4
4. Provide scripts that can easily be run, or modified to run, in a PowerShell session.

Usage:
Download *.zip
compress into windows powershell folder
then open with windows Powershell with administrator User.

Download : PS-WindowsFOrensics
Source : https://github.com/davidhowell-tx