Windows User Account Forensics

User accounts play a crucial role in cyber security. They are access points to sensitive systems and data, making them a focus of most cyber attacks. To help us with our investigations, we need to understand better user accounts and the forensic artefacts they leave behind. 

This room delves into Windows forensics, focusing on user account activity and system interactions. We will be examining logs, network traffic, and GPO policies. All of these create system artefacts unique to Windows that can give us a better understanding of how an attack happened.

Learning Objectives

• Identify and analyze forensic artefacts related to user and system accounts in Windows.
• Understand the forensic aspects of the user account lifecycle, including creation, modification, and deletion.
• Detect malicious activities through behavioural analysis and threat detection techniques.
• Investigate Group Policy Objects (GPOs) for security insights and potential exploitation.
• Apply forensic analysis techniques in practical scenarios to enhance investigative skills.

Room prerequisites

In order to benefit from the content in this room, it is recommended to already have knowledge covering:

• Sysmon
• Windows Event Logs
• Active Directory and Domain accounts
• Wireshark and Traffic Analysis

Connecting to the Machine

Start the virtual machine in split-screen view by clicking on the green “Start Machine” button on the upper right section of this task. If the VM is not visible, use the blue “Show Split View” button at the top of the page. Alternatively, you can connect to the VM using the credentials below via “Remote Desktop”.

Note: The VM may take a few minutes to start up. 

Username	Administrator
Password	Passw0rd!
IP	MACHINE_IP