Skip to content


Examine an HKCU hive for evidence of unauthorized access. Read the scenario carefully, as you may consider it interview notes with your client. This is often one of the first real examination tasks you’re likely to encounter and will be a test of your ability to make inferences, be thorough in your search, and document your examination.


You’ll need to use the following resources to complete the assignment:

  • Investigation 01 Sample Evidence located in the Virtual Lab
  • A registry analysis tool, such as Registry Explorer by Eric Zimmerman located in the Virtual Lab
  • (Optional) Download and use the report template (See the Investigation and Forensics Challenge module for the templates)

After reading the Investigation 01 scenario, open your forensic tool and import the sample evidence into the tool. Begin a forensic report and begin your search. As you do, be sure to take special note of these answers to these questions. These questions represent those that need to be answered to arrive at a logical conclusion to this scenario. They are provided here, but in the future, you will be required to decide these questions on your own.


This scenario takes place circa 2012. You were recently contacted by Nick Fury of S.H.I.E.L.D. to investigate a suspected corporate espionage incident. They have reason to believe that S.H.I.E.L.D. was infiltrated by an enemy spy who used the generic vibranium account to access and exfiltrated sensitive information from an endpoint connected to the SHIELD network with the hostname of nromanoff. Nick Fury believes that the culprit may be a recently terminated employee named Jim Tandy. Jim was recently fired under suspicion of leaking confidential information to Hydra. Your job will be to examine the NTUSER.DAT file containing the HKCU registry hive for the vibranium user to determine the answers to the following questions.