GhostTrace: A Windows Forensic Scanner for Detecting Leftover Software Artifacts

GhostTrace is a command-line tool for Windows that scans for leftover software artifacts across 22 forensic modules, including registry keys, prefetch entries, scheduled tasks, WMI subscriptions, and user activity traces. It operates in read-only mode by default, avoids network calls and telemetry, and excludes execution caches from cleanup to preserve evidence. The tool covers persistence mechanisms, execution evidence, user activity, and disk residue without automatically flagging findings as malicious. It is built using C#, .NET 10, and Spectre.Console for Windows 10/11 x64 systems.