This tools is designed to be able to gather USB-related artifacts from Windows machines. Also script is designed to correlate these informations. So far this is only a collector for Windows evtx-based information.
The following sources are going to be checked and collected in the future by the script:
- Windows events (evtx files)
- Registry files
- Other artifacts (LNK files, Recent files, etc)
- setupAPI.dev.log file
Content of event_collector folder:
- separate Powershell script for each event sources I investigated -> use this if you only want to collect some, but not all of the mentioned events
- a common owershell script that collects every investigated events named usbLogCollector.ps1 -> use this if you want to collect every events from the related blog post