This lab walkthrough explores an in-depth forensic analysis of an intrusion where an attacker systematically compromises a system, escalates privileges, and attempts data exfiltration. The investigation involves examining system event logs, registry modifications, file system changes, and network activity to track the adversary’s movements and uncover their tactics, techniques, and procedures (TTPs). By leveraging tools such as Event Log Explorer, Timeline Explorer, NTFS Log Tracker and AccessData FTK Imager, the analysis reconstructs key moments in the attack timeline, from initial execution to final exfiltration attempts. Throughout this investigation, different attack techniques are observed, including the execution of malicious binaries, persistence mechanisms, user account manipulation, and credential dumping. By examining event logs, security alerts, and file artifacts, critical evidence is pieced together to understand how the attacker gained access, maintained control, and extracted sensitive data. The logs provide insights into unauthorized user creation, privilege escalation, and attempts to disable security defenses, highlighting common adversary behaviors.
The forensic process also identifies tools deployed by the attacker, including executables used for reconnaissance, persistence, and credential harvesting. The presence of compressed archive files in the NTFS logs suggests data collection efforts, and PowerShell execution history reveals potential exfiltration commands. By correlating file system changes with command execution traces, the analysis uncovers a detailed picture of how the attacker operated within the compromised system. This walkthrough emphasizes the importance of struct