Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Windows User Activity Analysis

Premium room

What happened in those 36 hours? A forensics case to solve.

medium

60 min

3,613

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Image depicting a Windows Machine being under investigationWindows artifacts are important pieces of digital evidence that provide an understanding of user activities on a computer. Regarding user activity, these artifacts provide extensive records of interactions involving file access, program execution, browsing history, and logging in or out.

Understanding them is critical for any cyber security and digital forensic investigator as they can show trends, possible security breaches, or unlawful activities.

Let's go through an investigation scenario to understand these artifacts, where they are located, and why they can be helpful in tracking down user activities during a forensics investigation.

Incident Scenario: 36 hours of Rampage

James, who works in the HR department of Cybertees Pvt Ltd, has a bad habit of writing everything down on a sticky note, including passwords, and placing it around his computer. Last week, when he returned on Monday, he felt some changes on his workstation with some files missing and suspicious tools already installed.

CCTV footage showed an employee named Johny, who was working over the weekend and somehow got logged into his machine. He is suspected of having the plans and may have accessed the sensitive documents. It has also been found that he recently resigned and planned to move to the competitor company. A glance at the workstation reveals that he not only accessed the files but also deleted most of them and the tools he ran to remove the traces.

In this room, our task as forensics investigators would be to track down his activities, the files he had accessed, the tools he had executed, etc., during those 36 hours.

Learning Objectives

Some of the learning objectives being covered in this room are:

  • Understand the User's activity traces.
  • Revisit Registry Concepts.
  • Examine Registry Artifacts.
  • Examine Shell Bags and its forensics value.
  • Examine Jumplist and its forensics value.
  • Explore files and its forensics value.

Prerequisites

This room expects users to have a basic understanding of forensics. The following rooms provide a basic knowledge needed to move forward in this room:

Let's dive in.

Answer the questions below
Continue to the next task.

Ready to learn Cyber Security?

The Windows User Activity Analysis room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.