Scribd
Upload
144 views6 pages

Investigating Windows 10

This document summarizes Mawadda S. Abuhamda's investigation of their Windows 10 Home computer. They used Prefetch to view when applications were last run, Wireshark to capture network traffic including VPN and QUIC packets, and the vssadmin command to check for shadow copies, finding none. Event Viewer showed successful logins, power events, and Microsoft Office alerts containing document names and edit prompts with times. Task Scheduler revealed tasks to send Office error logs and check for Windows updates.

Uploaded by

api-545804212
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
144 views6 pages

Investigating Windows 10

This document summarizes Mawadda S. Abuhamda's investigation of their Windows 10 Home computer. They used Prefetch to view when applications were last run, Wireshark to capture network traffic including VPN and QUIC packets, and the vssadmin command to check for shadow copies, finding none. Event Viewer showed successful logins, power events, and Microsoft Office alerts containing document names and edit prompts with times. Task Scheduler revealed tasks to send Office error logs and check for Windows updates.

Uploaded by

api-545804212
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Running head: INVESTIGATING WINDOWS 10 1

Investigating Windows 10

Mawadda S. Abuhamda

University of Advancing Technology

Author Note

Here is my report about the results of my investigation.


INVESTIGATING WINDOWS 10 2

I investigated my Windows 10 Home computer for this assignment.

One of the investigation items I used was Prefetch. Prefetch shows when your

applications were last run. It’s easy to get to prefetch. In Windows Explorer, you have to type

“%SYSTEMROOT%\Prefetch” and then continue as an administrator. Information about when

an application was last run can be used to investigate many different incidents. It showed me

when I last ran Teams, Zoom, Google Chrome, Zenmap, Vmware, VirtualBox and my other

applications. I noticed that most of the files were .pf files which means they’re password

protected. I don’t think it makes a different whether or not they’re password protected, because

the name and the time it was run is still visible, which is the information you would need during

an investigation.

The second investigation item I used was Wireshark. I captured data for around five

minutes with a VPN connection to a virtual machine open for work. I also reloaded pages that I

had open in Chrome for work and school. Throughout the capture, there was a lot of TCP packets
INVESTIGATING WINDOWS 10 3

which were from the VPN connection because the destination IP was one that I know belongs to

my work. I also noticed some packets that were using the QUIC protocol. I researched it and

found out that it was designed by Google and it connects Google Chrome browsers to Google’s

servers. It reduces round-trip time and encrypts payloads. There were a few QUIC handshake

packets followed by many encrypted packets. I also noticed that some packets were different

colors. I paid attention to a few black packets with red text. I looked at Wireshark’s coloring

rules and found that it was because of a bad TCP. This could be because of a bad connection.

The third investigation item I used was the vssadmin command to check for shadow

copies. The command I used was “vssadmin list shadows /for=C.” My disk didn’t have any

shadow copies so I wasn’t able to find any information from that command.
INVESTIGATING WINDOWS 10 4

The next investigation item I used was Event Viewer. I checked the Windows Security

logs first but there were only successful logins logged. This could be helpful if I was trying to

figure out if someone logged into my system without me knowing. In the system logs, I noticed

Kernel-Power events which tell you about power-source changes and about the system resuming

from sleep or going to sleep. I looked at the Application and Service logs next. There were zero

hardware events, 82 HP Analytics events, 76 Microsoft Office alerts, 66 TechSmith events, and

798 Widows PowerShell events. The Microsoft Office alerts were interesting because they

mentioned names of Word documents or Excel documents that I had been working on. They

showed the exact phrase used in the event, which was usually “Want to save your changes to

FILENAME?,” along with the time and date that it was logged. This can be helpful in finding out

if a hacker was creating documents or making changes to them.


INVESTIGATING WINDOWS 10 5

Another investigation tool I used was Task Scheduler. I looked at Microsoft Office logs

and found that there were tasks scheduled to send error logs about Office to Microsoft. I also

found a task called startdvr which activates at the logon of any user. It has something to do with

my AMD CPU, but I wasn’t able to find much about it from looking it up. There was also a task

scheduled to run at the logon of any user and at 11:57pm every day to check for Microsoft

updates. Task manager can be used to find out if a hacker created tasks for malicious purposes.
INVESTIGATING WINDOWS 10 6

References

Luttgens, J. T., Pepe, M., & Mandia, K. (2014). Incident Response & Computer Forensics, Third

Edition. McGrawHill Education.

Networks Training. (2018). What is QUIC – This new Google Protocol makes Firewalls Blind.

Retrieved from Networks Training: https://www.networkstraining.com/what-is-quic-

protocol/

You might also like