Digital Forensics Quiz

20:48

21:02

20:55

The Prefetch file for `NOTEPAD.EXE`

The `OpenPidlMRU` registry value

The browser history showing `dropsend.com`

The MFT entry for `temp_export.png`

Chrome → Notepad → PowerShell → Cmd

PowerShell → Notepad → Cmd → Chrome

Cmd → PowerShell → Chrome → Notepad

Notepad → Chrome → PowerShell → Cmd

Alex was trying to open the file.

Alex was attempting to hide his actions by avoiding the Recycle Bin.

Alex was installing a new program.

The file was deleted by a system process.

It proves Alex visited a social media site.

It suggests the use of a web-based service to send a file.

It shows Alex was researching competitors.

It indicates the browser was infected with malware.

ProfileList LastWriteTime and Notepad Prefetch

OpenPidlMRU and MFT entry for `temp_export.png`

RunMRU (delete command) and Browser History (Dropsend visit)

PowerShell Prefetch and Chrome Prefetch

`final_design.fzz`

`temp_export.png`

A Prefetch file

A random system DLL

The user login at 18:30

The creation of `temp_export.png` at 20:48

The execution of Chrome at 20:58

The file deletion at 20:55