=========================================
TRIAGEX v4.0 - Advanced Forensic
Triage | Run as Administrator
=========================================
TriageX is a single-file, zero-dependency PowerShell forensic triage tool for Windows. In one run it collects artifacts from across the entire system — USB history, RDP connections, browser intelligence, keyword search across all file types (including Bengali/Unicode PDFs), deleted files, user profiling, and more — and produces a rich interactive HTML report.
Legal Notice: Only use on systems you own or have explicit written authorization to investigate. Unauthorized use may violate applicable law.
- Features at a Glance
- Quick Start
- Full Usage
- Parameters
- Modules
- Keyword Search Deep Dive
- User Profiling
- HTML Report
- Output Structure
- Requirements
- How It Works — Technical Details
- FAQ
- Changelog
- License
| Feature | Details |
|---|---|
| Keyword Search | File names, folder names, content inside PDF, DOCX, XLSX, PPTX, text, images (OCR) across all drives |
| Multi-language | English, Bengali, Arabic, Hindi — fully Unicode-aware |
| USB History | All drives ever connected, FILETIME-decoded timestamps, SetupAPI log, plug/unplug events |
| RDP History | Outbound MRU + inbound event log (4624 LogonType 10), bitmap cache evidence |
| Browser Intelligence | Chrome, Edge, Firefox, IE — URLs, top domains, direct IP visits, extracted search queries |
| Network Forensics | TCP connections (with process name), ARP, DNS, Wi-Fi passwords + security type, shares, hosts |
| Deleted Files | Recycle Bin $I metadata parser: original path, delete timestamp, size, recovery status |
| Uninstalled Apps | Windows Installer event log + MUI Cache (every .exe ever launched) |
| User Profiling | Scores 10 profiles (Accountant, Developer, Hacker, Spy...) with bar chart and evidence list |
| Event Logs | Logon/logoff, account changes, process creation, PowerShell blocks, startup/shutdown/crash |
| Timing | Per-module start/end/duration, files/sec rate, total run time |
| HTML Report | Dark-themed, sticky nav, live per-table filter, sortable columns, CSV exports |
Step 1 — Open PowerShell as Administrator
- Press
Win+X→ select Windows PowerShell (Admin) or Terminal (Admin)
Step 2 — Navigate to the script
cd C:\Users\YourName\DownloadsStep 3 — Allow execution (one-time)
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope ProcessStep 4 — Run
.\TriageX.ps1The interactive setup will ask you:
- Output folder name (press Enter for auto
TriageX_YYYYMMDD_HHMMSS) - Keywords to search (comma-separated, or Enter to skip)
- Which drives to search (
1,2,1,2, orAfor all) - Which modules to run (
Afor full triage)
When done, the HTML report opens automatically in your browser.
.\TriageX.ps1Skips all prompts, runs all modules, uses all drives:
.\TriageX.ps1 -Silent -Keywords "invoice,password,Leger Book".\TriageX.ps1 -Keywords "Ophthalmology,Monthly Report" -SearchDrives "C:\","D:\".\TriageX.ps1 -OutputDir "E:\Cases\Case_2026_001".\TriageX.ps1 -Keywords "secret" -SkipOCR -MaxFileSizeMB 10.\TriageX.ps1 -Keywords "report" -ExtraPaths '\Steam\','\.git\','\node_modules\'.\TriageX.ps1 -Keywords "ঈশ্বরদী,অপটিক"| Parameter | Type | Default | Description |
|---|---|---|---|
-Keywords |
String | "" |
Comma-separated search keywords. Prompted interactively if blank. |
-OutputDir |
String | Desktop\TriageX_YYYYMMDD_HHMMSS | Custom output folder path. |
-Silent |
Switch | $false |
Non-interactive mode. Runs all modules with no prompts. |
-SkipOCR |
Switch | $false |
Skip Windows OCR on images. Speeds up scan significantly. |
-SkipOffice |
Switch | $false |
Skip content extraction from DOCX/XLSX/PPTX files. |
-MaxFileSizeMB |
Int | 50 |
Maximum file size (MB) to read content from. |
-SearchDrives |
String[] | Auto-detect | Drives to search. E.g. @('C:\','D:\'). Overrides interactive selection. |
-ExtraPaths |
String[] | @() |
Path fragments to exclude from search (in addition to TriageX output folders). |
| Key | Module | Description |
|---|---|---|
1 |
System Info & Users | OS, hardware, BIOS serial, RAM, CPU, local accounts, user profiles |
2 |
Keyword Search | Full-drive search: file names, folder names, file content (PDF/DOCX/XLSX/PPTX/OCR) |
3 |
USB / Pendrive | Registry USBSTOR (all ControlSets), FILETIME timestamps, SetupAPI log, event log |
4 |
Remote Desktop (RDP) | Outbound MRU registry, inbound Security log events, TerminalServices log |
5 |
Browser History | Chrome/Edge/Firefox/IE URLs, top domains, direct IPs, extracted search queries |
6 |
Network Artifacts | TCP connections, ARP, DNS, Wi-Fi (SSID+password+security), SMB shares, hosts file |
7 |
Recent Activity | LNK shortcuts, Prefetch, RunMRU, TypedPaths, Jump Lists |
8 |
Processes & Software | Running processes (SHA256), scheduled tasks, startup items, software, uninstalled apps, Recycle Bin |
9 |
Event Log Analysis | Logon/logoff, failed logins, process creation, PowerShell blocks, startup/shutdown, app errors |
A |
Full Triage | All modules above + User Profiling |
R |
Generate Report | Build HTML report from whatever has been collected so far |
Q |
Quit | Exit without generating report |
| Extension | Extraction Method |
|---|---|
.txt .log .csv .xml .json .ini .bat .ps1 .py .sql .md .rtf |
Direct read with BOM detection (UTF-8, UTF-16LE/BE, Windows-1252) |
.docx .odt |
ZIP + <w:t> regex with paragraph/cell-break spacing |
.xlsx .ods |
ZIP + <t> regex on sharedStrings.xml (all cells, including plain text nodes) |
.pptx .odp |
ZIP + <a:t> regex on all slide XML files + notes |
.pdf |
FlateDecode decompression + ToUnicode CMap + camelCase split + de-kerning |
.png .jpg .jpeg .bmp .tiff .gif |
Windows built-in OCR API — no Tesseract needed |
PDF file
├─ Read ALL streams (compressed + uncompressed)
├─ Decompress FlateDecode (zlib) streams
├─ Parse ToUnicode CMap tables (from any stream type)
├─ Decode hex glyph IDs → Unicode characters
├─ Extract literal (parenthesis) strings from TJ/Tj operators
├─ Pre-normalize: collapse double spaces
├─ CamelCase split: "MonthlyReport" → "Monthly Report"
│ "31Dec2023" → "31 Dec 2023"
│ "1991pcs" → "1991 pcs"
├─ De-kern: "M i s w a k" → "Miswak"
└─ Return 3 variants (raw + camelSplit + dekerned)
→ All three are searched, so every possible form matches
The standard PowerShell XML DOM approach reads <t> elements via $si.t.'#text'. This works for <t xml:space="preserve"> nodes but silently returns $null for plain <t>text</t> nodes, which is the majority of cells. TriageX uses direct ZIP + regex extraction instead:
<t xml:space="preserve">Department of Public Health Ophthalmology</t>
→ regex '<t(?:[^>]*)>([^<]+)</t>' → "Department of Public Health Ophthalmology" ✓
Microsoft Word stores table cell contents as separate XML elements. "Cognyte" in one cell and "provides advanced" in the next would produce:
<w:tc>...<w:t>Cognyte</w:t>...</w:tc>
<w:tc>...<w:t>provides</w:t><w:t> advanced</w:t>...</w:tc>TriageX inserts a space at </w:p>, </w:tc>, </w:tr> before extraction, then normalizes all whitespace, so "Cognyte provides" correctly becomes "Cognyte provides" and the phrase matches.
All matching uses .IndexOf(keyword, OrdinalIgnoreCase) — a Unicode-aware .NET method that handles Bengali, Arabic, Hindi, and all Unicode scripts correctly without requiring regex escaping.
TriageX automatically scores the system across 10 categories:
| Profile | Key Indicators |
|---|---|
| Accountant | Tally, QuickBooks, Xero, accounting sites, .xlsx recent files |
| Developer | IDEs (VS Code, PyCharm), GitHub in history, dev file types |
| IT Professional | VMware, PuTTY, WinSCP, admin tools, internal network connections |
| Student | MATLAB, Jupyter, .edu domains, academic software |
| Gamer | Steam, Epic Games, Twitch, gaming launchers in prefetch |
| Designer | Photoshop, Figma, Behance/Dribbble in history |
| Business Executive | Teams, Zoom, Salesforce, LinkedIn |
| Cyber Criminal | Wireshark, Nmap, Metasploit, exploit-db in history |
| Spy / Covert | Tor Browser, ProtonVPN, Mullvad, unusual-hours logons |
| General User | Default baseline |
Scoring sources: installed software, prefetch (executed programs), browser history, running processes, recent file types, logon timestamps, network connections.
The HTML report shows a color-coded bar chart, evidence list (every scoring factor found), and top browser domains chart.
The output is a single self-contained HTML file with no external dependencies:
- Dark forensic theme (cyan/orange/green accent palette)
- Sticky navigation bar — instant jump to any section
- Live filter box on every table — type to filter instantly
- Sortable columns — click any header
- User Profile dashboard — bar chart + evidence + top domains
- Search summary — files scanned, drives, duration, hit count
- Timing table — every module's start/end/duration
- All data also saved as individual CSV files for import into other tools
| Section | Contents |
|---|---|
| Overview | Statistics cards (hits, USB count, RDP records, processes, etc.) |
| User Profile | AI profiling: bar chart of 10 categories + evidence + domain chart |
| Keyword Hits | Every match: keyword, hit type, file name, full path, context snippet |
| System Info | OS, hardware, BIOS serial, CPU, RAM, install date, last boot |
| Users | Local accounts, last logon, profiles |
| USB / Pendrive | Devices (decoded timestamps) + plug/unplug events + SetupAPI log + LNK shortcuts |
| RDP | Registry connections + event log logons |
| Browser History | Full URL table |
| Searches & IPs | Extracted search queries + top domains chart + direct IP visits |
| Network | TCP connections, ARP, DNS, Wi-Fi (with passwords), shares, hosts file |
| Recent Activity | LNK files, Prefetch, RunMRU, Explorer address bar |
| Processes & Tasks | Running processes (SHA256), scheduled tasks, startup registry items, software |
| Uninstalled Apps | Event log uninstalls + MUI Cache executables |
| Deleted Data | Recycle Bin contents + file deletion audit events |
| Event Logs | Logon/logoff, account events, process creation, PowerShell blocks, system events |
| Timing | Per-module collection times and durations |
[OutputFolder]\
├── TriageX_Report.html ← Open this in any browser
│
├── Artifacts\
│ ├── recent_files.csv
│ ├── prefetch.csv
│ └── run_mru.csv
│
├── BrowserHistory\
│ ├── all_browser_urls.csv
│ ├── top_domains.csv
│ ├── top_ips_visited.csv
│ └── search_queries.csv
│
├── KeywordHits\
│ └── keyword_hits.csv
│
├── Network\
│ ├── active_connections.csv
│ ├── arp_cache.csv
│ ├── dns_cache.csv
│ ├── wifi_profiles.csv
│ └── hosts_file.txt
│
├── RDP\
│ ├── rdp_connections.csv
│ └── rdp_logon_events.csv
│
├── System\
│ ├── running_processes.csv
│ ├── scheduled_tasks.csv
│ ├── startup_items.csv
│ ├── installed_software.csv
│ ├── services.csv
│ ├── uninstalled_apps.csv
│ ├── mui_cache_apps.csv
│ ├── recycle_bin.csv
│ ├── deleted_events.csv
│ ├── logon_events.csv
│ ├── process_creation.csv
│ └── system_events.csv
│
├── USB\
│ ├── usb_devices.csv
│ ├── usb_events.csv
│ ├── usb_setupapi.csv
│ └── usb_lnk_files.csv
│
└── Users\
├── local_users.csv
└── user_profiles.csv
| Requirement | Notes |
|---|---|
| Windows 10 / 11 / Server 2016+ | Required |
| PowerShell 5.1+ | Pre-installed on all modern Windows. Check: $PSVersionTable.PSVersion |
| Administrator privileges | Required for Security event log, SYSTEM registry, Prefetch, device info |
| No external dependencies | Pure PowerShell — nothing to install |
pdftotext (optional) |
If Xpdf/Poppler is in PATH, used as primary PDF extractor (faster for large PDFs) |
| Windows OCR API | Built into Windows — used automatically for image search |
TriageX is a single .ps1 file organized into:
Initialize-TriageX → Interactive setup (folder, keywords, drives)
Module Functions → 9 independent collection modules
Get-UserProfile → Profiling engine (runs after module data is collected)
New-HTMLReport → Report generator (builds HTML from collected data)
Invoke-TriageX → Main entry point (menu loop)
All data is stored in $script:Report (ordered hashtable) during collection, then rendered into HTML at the end. This allows running individual modules and generating a partial report at any time.
Run TriageX
↓ Initialize: folder, keywords, drives
↓ Collect: each module stores to $script:Report[]
↓ Profile: score user based on collected data
↓ Report: render HTML from $script:Report[]
↓ Output: HTML + CSV files written to disk
- No network calls — entirely offline
- No persistence — no registry changes, no scheduled tasks, no services installed
- No external executables — no PowerShell one-liners that download from the internet
- Read-only — only reads system data, writes only to the specified output folder
Q: Why do I get "Running scripts is disabled" error?
This is the PowerShell execution policy. Run this in the PowerShell window before launching TriageX:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope ProcessThis only applies to the current session and resets when you close the window.
Q: Can I search Bengali (Bangla) or other non-English text?
Yes. TriageX uses .IndexOf() with OrdinalIgnoreCase, which is fully Unicode-aware. Bengali text in PDF, DOCX, XLSX, and plain text files is searchable. Enter the Bangla keyword at the prompt.
Q: Keyword search shows 0 files — what's wrong?
Check: (1) You selected the correct drive. (2) The keyword spelling is exact (case-insensitive but spelling matters). (3) The file isn't larger than MaxFileSizeMB. (4) If it's a PDF, the text may be image-based — try enabling OCR. (5) Ensure you selected module [2] or [A].
Q: PDF search is finding some words but not a phrase — why?
PDF documents often store kerned text where letters have spaces between them (e.g., "M i s w a k"), or phrases span across different font runs or compressed blocks. TriageX handles this with de-kerning and camelCase splitting, returning three text variants. If a multi-word phrase still doesn't match, try searching for a single distinctive word from the phrase first.
Q: The USB history shows only recent devices, not historical ones.
Run as Administrator. TriageX scans all ControlSets (not just CurrentControlSet) and reads FILETIME binary values from registry properties for accurate timestamps.
Q: Does TriageX modify the system in any way?
It enables Windows audit policy (auditpol) to ensure future event log collection works — this is a configuration change, not a program installation. Everything else is read-only.
Q: Can I run it on a remote machine?
Yes, via PowerShell remoting:
Invoke-Command -ComputerName TARGET -FilePath .\TriageX.ps1 -Credential (Get-Credential)Or copy the script to the remote machine and run it there.
Q: The HTML report is very large and slow to open.
The browser history table can have thousands of entries. Use the filter box at the top of each table to narrow down. The CSV files contain the full data for external processing.
- Fixed DOCX cross-cell phrase matching (double-space bug)
- Fixed XLSX
#textDOM bug — all cells now extracted (was silently skipping most content) - Fixed PDF extraction for all encodings: FlateDecode + CMap + CamelCase splitting + de-kerning
- Added Unicode/Bengali keyword matching via
IndexOf(OrdinalIgnoreCase) - Added multi-encoding plain text reading (UTF-8 BOM, UTF-16, Windows-1252)
- Added: Uninstalled Apps (event log + MUI cache)
- Added: Recently Deleted Files (Recycle Bin
$Iparser with FILETIME decoding) - Added: Top Search Queries (Google, Bing, DuckDuckGo, YouTube, Yahoo)
- Added: Top Visited Domains and Direct IP Visits
- Added: User Profiling Dashboard with bar chart and evidence list
- Added: Per-module timing (start/end/duration in console and report)
- Added: Interactive drive selection menu with free space display
- Added: Custom output folder name prompt
- USB events now human-readable (Action field, VID/PID, driver)
- SetupAPI log now shows DeviceType, VID_PID, FriendlyName, Result
- Wi-Fi profiles now show Connected status, Security type, Auth/Cipher
- Previous TriageX output folders automatically excluded from search
- All-drives keyword search (auto-detect)
- File name and folder name search added
- Drive selection menu
- User profile engine (10 categories)
- USB: FILETIME binary decode, all ControlSets, SetupAPI log
- Event logs: audit policy auto-enable, System log fallback, PS history fallback
- HTML report: live filter boxes, sortable columns, timing section
- All ASCII-safe (no Unicode box-drawing characters causing parse errors)
$script:scoping fixes (OS/Domain showing N/A resolved)- Multi-keyword comma-separated input fixed
- Exclusion list for system/development paths
- Initial release with 9 collection modules
- HTML report with dark theme
- PDF extractor (Method 2: pure PowerShell)
- Browser history from Chrome/Edge/Firefox/IE
- USB USBSTOR registry reader
- RDP MRU and event log collection
MIT License. See LICENSE for full text.
Made for the forensics and incident response community.