Artifact Collection is a comprehensive PowerShell tool designed for security analysts, incident responders, and forensic investigators. It systematically collects critical logs, system information, and forensic artifacts from Windows systems to support security analysis and incident response activities.
- Comprehensive Collection: Gathers event logs, system information, network data, process details, user artifacts, execution evidence, persistence mechanisms, browser artifacts, and security configuration
- Per-User Artifact Enumeration: Iterates all user profiles for registry artifacts, browser data, PowerShell history, and more
- Prioritized Event Logs: Separates high-priority security logs from standard logs for efficient analysis
- Execution Evidence: Collects Amcache, SRUM, Prefetch, BAM/DAM, Shimcache, and WER reports
- Persistence Detection: Captures all autorun registry keys, WMI subscriptions, scheduled task XMLs, COM hijacks, and startup folders
- Browser Forensics: Collects Chrome, Edge, Firefox, and IE artifacts per user profile
- Locked File Handling: Uses esentutl fallback to copy locked system databases (Amcache, SRUM)
- Organized Output Structure: Creates structured ZIP archives with logical folder organization
- Integrity Verification: SHA-256 hash manifest for chain-of-custody validation
- Flexible Collection Types: Allows selective collection of specific artifact categories
- Progress Tracking: Provides real-time progress indicators during collection
- Error Resilience: Continues collection even if individual files are locked or inaccessible
- Timestamped Archives: Prevents overwrites with automatic timestamp inclusion
- Analysis Guidance: Includes collection summary with analysis recommendations
- Operating System: Windows 10/11, Windows Server 2016/2019/2022
- PowerShell: Version 5.1 or higher
- Privileges: Administrator privileges required
- Disk Space: Minimum 500MB free space (more recommended for large environments)
- .NET Framework: 4.5 or higher (for ZIP compression)
- Download the Artifact Collection script (
Collect-SecurityLogs.ps1) - Place the script in a directory accessible to administrators
- Ensure PowerShell execution policy allows script execution:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Run Artifact Collection with administrator privileges to collect all available artifacts:
.\Collect-SecurityLogs.ps1# Collect only event logs
.\Collect-SecurityLogs.ps1 -CollectionType EventLogs
# Collect only execution evidence (Amcache, SRUM, Prefetch, etc.)
.\Collect-SecurityLogs.ps1 -CollectionType ExecutionEvidence
# Collect only persistence mechanisms
.\Collect-SecurityLogs.ps1 -CollectionType PersistenceInfo
# Collect only browser artifacts
.\Collect-SecurityLogs.ps1 -CollectionType BrowserArtifacts
# Collect only security configuration and artifacts
.\Collect-SecurityLogs.ps1 -CollectionType SecurityInfo# Specify custom output directory
.\Collect-SecurityLogs.ps1 -OutputPath "C:\Investigation\Case-2024-001"# Collect artifacts from last 7 days
.\Collect-SecurityLogs.ps1 -MaxDays 7
# Collect all available artifacts (no time limit)
.\Collect-SecurityLogs.ps1 -MaxDays 0# Include MEMORY.DMP and minidumps (can be very large)
.\Collect-SecurityLogs.ps1 -IncludeMemoryDump| Parameter | Type | Default | Description |
|---|---|---|---|
OutputPath |
String | Desktop | Custom output directory for ZIP archive |
CollectionType |
String | All | Category to collect (see table below) |
MaxDays |
Integer | 30 | Number of days to collect logs (0 = no limit) |
IncludeMemoryDump |
Switch | False | Include memory dump files if available |
| Type | Description |
|---|---|
All |
Everything below (default) |
EventLogs |
Windows event logs (priority + standard) |
SystemInfo |
OS details, software, hotfixes, drivers, USB, BitLocker, TPM |
NetworkInfo |
Adapters, connections, firewall, DNS, proxy, hosts file, WLAN |
ProcessInfo |
Processes, services, scheduled tasks, named pipes, loaded modules |
UserArtifacts |
Per-user registry, LNK files, Jump Lists, PowerShell history, thumbcache |
ExecutionEvidence |
Prefetch, Amcache, SRUM, BAM/DAM, Shimcache, WER reports |
PersistenceInfo |
Autorun keys, scheduled task XMLs, WMI subs, COM hijacks, IFEO, BHOs |
BrowserArtifacts |
Chrome, Edge, Firefox, IE history/bookmarks/downloads per user |
SecurityInfo |
Defender status/quarantine, certificates, GPO, credentials, ADS, Recycle Bin |
The script creates a timestamped ZIP archive with the following structure:
SecurityArtifacts_COMPUTERNAME_YYYYMMDD_HHMMSS.zip
├── CollectionSummary.txt
├── HashManifest_SHA256.txt
├── EventLogs/
│ ├── Priority/
│ │ ├── Security.evtx
│ │ ├── System.evtx
│ │ ├── Application.evtx
│ │ ├── Windows PowerShell.evtx
│ │ └── [Other priority logs]
│ └── Standard/
├── SystemInfo/
│ ├── SystemInfo.txt
│ ├── InstalledSoftware.txt
│ ├── InstalledSoftware_x86.txt
│ ├── InstalledHotfixes.txt
│ ├── LocalUsers.txt
│ ├── LocalGroupMembers.txt
│ ├── Drivers.txt
│ ├── USBDeviceHistory.txt
│ ├── VolumeShadowCopies.txt
│ ├── BITSTransfers.txt
│ ├── BitLockerStatus.txt
│ ├── TPMInfo.txt
│ └── [Other system data]
├── NetworkInfo/
│ ├── NetworkConfig.txt
│ ├── NetstatConnections.txt
│ ├── FirewallRules.txt
│ ├── FirewallProfiles.txt
│ ├── ListeningPorts.txt
│ ├── UDPEndpoints.txt
│ ├── HostsFile.txt
│ ├── ProxySettings.txt
│ ├── DNSClientConfig.txt
│ ├── WLANEventHistory.txt
│ └── [Other network data]
├── ProcessInfo/
│ ├── RunningProcesses.txt
│ ├── ProcessTree.txt
│ ├── Services.txt
│ ├── ScheduledTasks.txt
│ ├── NamedPipes.txt
│ ├── HandleCounts.txt
│ └── [Other process data]
├── UserArtifacts/
│ └── <username>/
│ ├── Registry/
│ │ ├── RunMRU.reg
│ │ ├── RecentDocs.reg
│ │ ├── TypedPaths.reg
│ │ ├── TypedURLs.reg
│ │ ├── UserAssist.reg
│ │ ├── WordWheelQuery.reg
│ │ ├── ComDlg32.reg
│ │ ├── Shellbags_BagMRU.reg
│ │ ├── Shellbags_Bags.reg
│ │ ├── RDP_Servers.reg
│ │ ├── MountPoints2.reg
│ │ ├── MapNetworkDriveMRU.reg
│ │ └── [Other user registry]
│ ├── RecentFiles/ (LNK files)
│ ├── JumpLists/
│ │ ├── AutomaticDestinations/
│ │ └── CustomDestinations/
│ ├── PowerShellHistory/
│ ├── Thumbcache/
│ └── StartupFolder/
├── ExecutionEvidence/
│ ├── Prefetch/ (*.pf files)
│ ├── Amcache/ (Amcache.hve + logs)
│ ├── SRUM/ (SRUDB.dat)
│ ├── BAM/ (Background Activity Moderator)
│ ├── Shimcache/ (AppCompatCache.reg)
│ └── WER/ (Windows Error Reporting)
│ ├── ReportArchive/
│ └── ReportQueue/
├── PersistenceInfo/
│ ├── AutorunRegistry/
│ │ ├── HKLM_Run.reg
│ │ ├── HKLM_RunOnce.reg
│ │ ├── HKLM_Run_Wow64.reg
│ │ ├── HKLM_Winlogon.reg
│ │ ├── HKLM_IFEO.reg
│ │ ├── HKLM_AppInit.reg
│ │ ├── HKLM_LSA.reg
│ │ ├── HKLM_PrintMonitors.reg
│ │ ├── HKLM_BHO.reg
│ │ ├── HKLM_ActiveSetup.reg
│ │ └── [Other autorun keys]
│ ├── ScheduledTasksXML/ (Raw XML task definitions)
│ ├── GlobalStartupFolder/
│ ├── WMISubscriptions/
│ │ ├── EventFilters.txt
│ │ ├── EventConsumers.txt
│ │ └── FilterToConsumer.txt
│ ├── COMObjects/
│ │ ├── InprocServer32_HKCU.txt
│ │ └── LocalServer32_HKCU.txt
│ └── Services/
│ ├── NonStandardServices.txt
│ └── DriverServices.txt
├── BrowserArtifacts/
│ └── <username>/
│ ├── Chrome/ (History, Bookmarks, Login Data, etc.)
│ ├── Chrome_Profile 1/ (Additional Chrome profiles)
│ ├── Edge/ (History, Bookmarks, Login Data, etc.)
│ ├── Firefox_<profile>/ (places.sqlite, logins.json, etc.)
│ └── IE_WebCache/ (WebCacheV*.dat)
├── SecurityInfo/
│ ├── WindowsDefender/
│ │ ├── DefenderStatus.txt
│ │ ├── ThreatHistory.txt
│ │ ├── ExclusionPaths.txt
│ │ ├── Quarantine/
│ │ └── ScanHistory/
│ ├── Certificates/
│ │ ├── RootCerts.txt
│ │ ├── UntrustedCerts.txt
│ │ └── TrustedPublishers.txt
│ ├── GroupPolicy/
│ │ ├── GPResult_Verbose.txt
│ │ ├── GPResult.html
│ │ └── LocalGPO/
│ ├── Credentials/
│ │ ├── CredentialManager.txt
│ │ ├── LSAProtection.txt
│ │ └── CachedLogons.txt
│ ├── AppLocker/
│ │ ├── EffectivePolicy.xml
│ │ └── LocalPolicy.xml
│ ├── RecycleBin/
│ ├── AlternateDataStreams.txt
│ ├── hosts.txt
│ ├── pfirewall.log
│ └── pfirewall.log.old
├── RegistryExports/
│ ├── HKLM_Run.reg
│ ├── HKLM_Services.reg
│ ├── HKLM_USBSTOR.reg
│ ├── HKLM_ProfileList.reg
│ └── [Other registry exports]
├── SecurityPolicy/
│ ├── SecurityPolicy.inf
│ └── AuditPolicy.txt
└── MemoryDumps/ (if -IncludeMemoryDump)
├── MEMORY.DMP
└── *.dmp
The script prioritizes collection of these critical security logs:
Authentication and Access
- Security.evtx (Windows Security log)
- Microsoft-Windows-TerminalServices-LocalSessionManager
- Microsoft-Windows-TerminalServices-RemoteConnectionManager
- Microsoft-Windows-NTLM/Operational
System Activity
- System.evtx (Windows System log)
- Application.evtx (Windows Application log)
PowerShell Activity
- Windows PowerShell.evtx
- Microsoft-Windows-PowerShell/Operational
Security Tools
- Microsoft-Windows-Sysmon/Operational (if available)
- Microsoft-Windows-Windows Defender/Operational
- Microsoft-Windows-Windows Firewall With Advanced Security
- Microsoft-Windows-AppLocker (EXE, DLL, MSI, Script)
Network and File Activity
- Microsoft-Windows-DNS-Client/Operational
- Microsoft-Windows-SMBClient/Security
- Microsoft-Windows-SMBServer/Security
- Microsoft-Windows-Bits-Client/Operational
Other
- Microsoft-Windows-CAPI2/Operational (certificate operations)
- Microsoft-Windows-PrintService/Operational
- Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
The script enumerates all user profiles on the system and collects these artifacts for each user:
| Artifact | Registry Key / Path | Forensic Value |
|---|---|---|
| RunMRU | HKCU\...\Explorer\RunMRU |
Win+R dialog history |
| RecentDocs | HKCU\...\Explorer\RecentDocs |
Recently opened files by extension |
| TypedPaths | HKCU\...\Explorer\TypedPaths |
Explorer address bar history |
| TypedURLs | HKCU\...\Explorer\TypedURLs |
IE/Edge URL bar history |
| UserAssist | HKCU\...\Explorer\UserAssist |
Program execution counts (ROT13) |
| WordWheelQuery | HKCU\...\Explorer\WordWheelQuery |
Explorer search history |
| ComDlg32 | HKCU\...\Explorer\ComDlg32 |
Open/Save dialog history |
| Shellbags | HKCU\...\Shell\BagMRU + Bags |
Folder access history |
| RDP History | HKCU\...\Terminal Server Client |
Remote desktop connections |
| MountPoints2 | HKCU\...\Explorer\MountPoints2 |
Mounted drive history |
| Map Network Drive MRU | HKCU\...\Explorer\Map Network Drive MRU |
Mapped network drives |
| AppCompatFlags | HKCU\...\AppCompatFlags\Layers |
Compatibility settings |
| User Run/RunOnce | HKCU\...\Run + RunOnce |
Per-user autostart |
| LNK Files | Recent\*.lnk |
File/folder shortcut evidence |
| Jump Lists | Recent\AutomaticDestinations + CustomDestinations |
Application usage history |
| PowerShell History | PSReadLine\ConsoleHost_history.txt |
Full command history |
| Thumbcache | Explorer\thumbcache_*.db |
Thumbnail evidence of viewed files |
- Collected artifacts may contain sensitive information including:
- User credentials and authentication data
- Browser history, bookmarks, and saved passwords
- Network configuration details
- PowerShell command history
- System configuration information
- Process and service details
- Artifact Collection requires administrator privileges to access system logs and files
- Some files may be locked by active processes (esentutl fallback is attempted)
- Certain logs may not be available depending on system configuration
- NTUSER.DAT hives are loaded temporarily for offline users and unloaded after export
- Store collected archives in secure locations
- Follow organizational data handling policies
- Consider encryption for archives containing sensitive data
- Maintain chain of custody documentation for forensic investigations
- Use the SHA-256 hash manifest to verify data integrity
Artifact Collection Won't Run
- Verify administrator privileges
- Check PowerShell execution policy
- Ensure .NET Framework 4.5+ is installed
Some Files Not Collected
- Normal behavior for locked files (esentutl fallback attempted)
- Check Windows Event Viewer for access denied errors
- Verify source paths exist on target system
Large Archive Sizes
- Use
-MaxDaysparameter to limit collection timeframe - Consider selective collection types for specific investigations
- Monitor available disk space during collection
Memory or Performance Issues
- Run during low-activity periods
- Consider collecting in phases using different CollectionType values
- Increase virtual memory if needed
Registry Hive Load Failures
- Normal for currently logged-in users (their hive is already loaded)
- Script falls back to SID-based access for active sessions
Review the CollectionSummary.txt file first for:
- Collection statistics
- Failed collection attempts
- Recommended analysis starting points
- Extract archive to analysis workstation
- Verify file integrity using
HashManifest_SHA256.txt - Review
CollectionSummary.txtfor collection overview - Start with Priority event logs in EventLogs/Priority/
- Focus on Security.evtx, System.evtx, and PowerShell logs
- Parse Amcache.hve with AmcacheParser for program execution history
- Analyze Prefetch files for execution timestamps and frequency
- Review SRUM database for resource usage patterns
- Check BAM/DAM data for recently executed programs
- Parse Shimcache for historical execution evidence
- Review all AutorunRegistry exports for unauthorized entries
- Examine ScheduledTasksXML for suspicious task definitions
- Check WMI subscriptions for event-based persistence
- Review COM object registrations in HKCU for hijacking
- Inspect user and global startup folders
- Parse RunMRU for manually executed commands
- Review TypedPaths and TypedURLs for navigation history
- Decode UserAssist entries (ROT13) for program execution counts
- Analyze Shellbags for folder access patterns
- Review PowerShell history for command execution
- Parse Jump Lists and LNK files for file access timeline
- Open Chrome/Edge History SQLite databases with DB Browser
- Parse Firefox places.sqlite for browsing and download history
- Review bookmarks for indicators of interest
- Check saved credentials databases
- Review active connections and listening ports
- Check hosts file for suspicious redirections
- Analyze DNS cache for resolved domains
- Review proxy settings for unauthorized configuration
- Cross-reference network processes with connection data
- Event Log Analysis: Event Log Explorer, Hayabusa, Chainsaw, EvtxECmd
- Timeline Analysis: Plaso, Volatility, TimeSketch
- Registry Analysis: Registry Explorer, RegRipper, RECmd
- Amcache/Shimcache: AmcacheParser, AppCompatCacheParser (Eric Zimmerman)
- Prefetch: PECmd (Eric Zimmerman), WinPrefetchView
- SRUM: SrumECmd (Eric Zimmerman), NetworkUsageView
- Browser: DB Browser for SQLite, Hindsight (Chrome), ESSE (Edge)
- Jump Lists/LNK: JLECmd, LECmd (Eric Zimmerman)
- Network Analysis: Wireshark, NetworkMiner
- General Analysis: AXIOM, EnCase, X-Ways Forensics
- Ensure proper authorization before running on any system
- Follow organizational incident response procedures
- Maintain documentation of collection activities
- Collection may include personally identifiable information (PII)
- Browser artifacts may contain browsing history and saved passwords
- Follow applicable privacy laws and regulations
- Implement appropriate data protection measures
- Document who collected the data and when
- Maintain integrity of collected artifacts
- Use the SHA-256 hash manifest (
HashManifest_SHA256.txt) to verify data integrity - Store archives with appropriate access controls
- Added comprehensive per-user artifact collection (RunMRU, RecentDocs, TypedPaths, TypedURLs, UserAssist, WordWheelQuery, ComDlg32, Shellbags, RDP history, MountPoints2, Jump Lists, PowerShell history, thumbcache)
- Added execution evidence collection (Amcache, SRUM, BAM/DAM, Shimcache, Prefetch, WER, RecentFileCache)
- Added persistence mechanism collection (all autorun registry keys, scheduled task XMLs, WMI subscriptions, COM hijacks, IFEO, Winlogon, LSA, BHOs, print monitors, ActiveSetup, KnownDLLs)
- Added browser artifact collection (Chrome, Edge, Firefox, IE per user profile)
- Added security artifact collection (Defender status/quarantine/exclusions/ASR, certificates, GPO results, credential vault, LSA protection, AppLocker, alternate data streams, Recycle Bin, firewall logs)
- Added locked file handling via esentutl fallback
- Added SHA-256 hash manifest for integrity verification
- Expanded SystemInfo with drivers, USB history, BITS, volume shadow copies, BitLocker, TPM, disk info, x86 software
- Expanded NetworkInfo with hosts file, proxy settings, listening ports, UDP endpoints, firewall profiles, DNS client config, IPSec, WLAN history
- Expanded ProcessInfo with named pipes and handle counts
- Added user profile enumeration with NTUSER.DAT loading for offline users
- Replaced Invoke-Expression with script blocks
- Replaced Get-WmiObject with Get-CimInstance (PowerShell 7 compatible)
- Replaced Win32_Product with registry-based software inventory
- Added helper function infrastructure (Invoke-CommandCollection, Copy-LockedFile, New-DirectorySafe)
- Implemented MaxDays date filtering across all collection functions
- Implemented IncludeMemoryDump parameter
- Added comprehensive security artifact collection
- Implemented priority event log categorization
- Added network and process information collection
- Improved error handling and progress reporting
- Added analysis guidance and documentation
- Basic event log collection functionality
- Simple ZIP archive creation
- Administrator privilege checking
Artifact Collection is provided as-is for security analysis purposes. Users are responsible for:
- Testing in their environment before production use
- Ensuring compliance with organizational policies
- Validating collected data for their specific use cases
For questions or improvements, consult with your security team or forensic analysts.
Artifact Collection is designed for legitimate security analysis and incident response activities. Users must ensure they have proper authorization before collecting data from any system. The authors are not responsible for misuse of this tool or any data collected using it.