Introduction

In this lab, we are tasked with performing a forensic analysis on a Windows triage image provided by Dr. Alex Rivera. Dr. Rivera reported high CPU usage on his system after downloading an external library for his research project. Our objective is to investigate the system to determine the root cause of the high CPU usage, identify any malicious activities, and uncover how the attacker compromised the system.

Analysis and Findings

❓ Question 1: Dr. Alex Rivera recently downloaded an external library that raised suspicions about system security. Can you identify the specific command used for this download?

What Are We Looking For?

• We need to find the exact command that Dr. Rivera used to download the external library, which may have introduced malicious content to his system.

Where Will We Find the Evidence?

The evidence is likely located in the PowerShell command history files:

• ConsoleHost_history.txt in the user's profile directory.
• PowerShell event logs: Microsoft-Windows-PowerShell%4Operational.evtx and Windows PowerShell.evtx.

How Can We Manipulate the Data to Find It?

We reviewed the PowerShell event logs, focusing on the PowerShell Operational.evtx and Microsoft-Windows-PowerShell%4Operational.evtx files, but found no evidence of any exte