I built a CLI tool for Windows that investigates software remnants across 22 forensic modules in a single pass.

The idea: when you uninstall software, it says goodbye — but registry keys, prefetch entries, scheduled tasks, WMI subscriptions, BAM/DAM timestamps and more often stay behind. GhostTrace finds all of it.

What it covers:

• Persistence (MITRE ATT&CK TA0003): Run/RunOnce keys, services, IFEO debugger, AppInit_DLLs, scheduled tasks via Task Scheduler COM API, WMI EventFilter/Consumer bindings
• Execution evidence (TA0002): Shimcache (AppCompatCache), Prefetch with XPRESS-Huffman decode (versions 26/30/31), BAM/DAM with per-SID last-run timestamps, UserAssist (ROT13), MUICache
• User activity: PowerShell history with cradle/encoded payload detection, RDP outbound history, RecentDocs, USB device history via USBSTOR, network artifacts (hosts redirects + connected networks)
• Installed software and disk residue: uninstall entries, startup approved state, filesystem trace in Program Files/ProgramData/AppData

Design decisions:

• Read-only by default — scan never touches anything
• Cleanup only after explicit typed confirmation (no implicit click)
• Execution caches and history are excluded from cleanup — you don't destroy evidence
• Zero network calls, zero telemetry
• Suspicious signal is data for analysis, not an automatic verdict

Stack: C# · .NET 10 · Spectre.Console · Windows 10/11 x64

Download on GitHub: github.com/Devzinh/GhostTrace

Happy to answer questions about the forensic modules or implementation decisions.