One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions?
How many user created accounts are present on the system?
Load the SAM hive found in triage\C\Windows\System32\Config within here we can find the users. The question only wants user created accounts. Disregarding the builtin account we have 3
What is the username of the account that has never been logged in?
We can answer this within the same hive, there is only one user without a Last Login Time
What's the password hint for the user THM-4n6?
Can also be answered from within here :)
When was the file 'Changelog.txt' accessed?
Load the NTUSER hive, drill down to RecentDocs and check .txt files.
What is the complete path from where the python 3.8.2 installer was run?
Within the User hive, drill down to the User Assist registry keys and look for the GUID with the most key values. Within here you can find all the applications which have executed.
When was the USB device with the friendly name 'USB' last connected?
The question is to find the USB device with the friendly name ‘USB’, let's look in SOFTWARE\Microsoft\Windows Portable Devices\Devices
Further USB information can be found with the SYSTEM hive under:
Look at the device with the GUID matching the friendly named USB device.