WindowsLiveForensicCollect

WindowsLiveForensicCollect is a PowerShell script designed for live forensic data collection on Windows systems. It allows incident responders and forensic analysts to gather crucial volatile and non-volatile data without altering the system state.

🔐 Features

• Live forensic data collection from running Windows machines
• Volatile data: running processes, network connections, open files
• Non-volatile data: installed software, user accounts, system configurations
• PowerShell script for seamless Windows integration
• Customizable output paths for collected data

🖥️ Requirements

• Operating System: Windows 7 or higher
• PowerShell version 5.0 or higher

📦 Installation

• Clone the repository:

  git clone https://github.com/MarcoAbreu2002/WindowsLiveForensicCollect.git
  cd WindowsLiveForensicCollect

⚡ Usage

Run the main script and specify the destination folder:

./main.ps1

Choose the type of collection or select "Run All" to capture all available data.

🗂️ Example Menu Options

Select an option:
1  - Collect Volatile Fragment Windows
2  - Collect Routing Table, ARP Cache, and Kernel Statistics
3  - Collect DNS Cache
4  - Collect Running Processes
5  - Collect Active Network Connections
6  - Collect Programs Using Network
7  - Collect Open Files
8  - Collect Network Shares
9  - Collect Open Ports
...
30 - Run All
31 - Exit
        

💾 Sample Collected Data

Files generated in the destination folder might include:

• VolatileFragmentWindows.txt
• RoutingTable.txt
• ARPCache.txt
• KernelStatistics.txt
• DNSCache.txt
• RunningProcesses.txt
• ActiveNetworkConnections.txt
• ProgramsAndServicesUsingNetwork.txt
• OpenFiles.txt
• NetworkShares.txt
• OpenPorts.txt
• EncryptedArchives.txt
• SystemConfiguration.txt
• NetworkConfiguration.txt
• StorageDevices.txt
• DateAndTime.txt
• EnvironmentVariables.txt
• NetworkCardInfo.txt
• StartedServices.txt
• ScheduledTasks.txt
• WiFiEvents.txt
• ProcessInfo.txt
• CurrentConnections.txt
• WiFiProfiles.txt