😺 TryHackMe: Compromised Windows Analysis | Real-World Forensics Walkthrough 🔍💻

🧠 Dive into Windows forensic analysis in this TryHackMe room: "Compromised Windows Analysis." In this video, we walk through how to investigate a compromised workstation using real-world techniques and forensic tools. 🛠️ Room Link: https://tryhackme.com/room/compromisedwindowsanalysis 📅 Scenario: On March 29th, 2025, suspicious SSH traffic was detected from a host in the TKM tech startup network. The junior security engineer, Joe, identified recurring connection attempts and found Windows Defender disabled. Our mission? Analyze the forensic artifacts and find the root cause of this activity. 🕒timestamp:🕒 [00:00] Intro [04:15] Investigating Persistence (Scheduled Tasks) [08:07] Investigating Recently Accessed Files (LNK Files, LECmd) [15:25] Investigating File Execution (Prefetch Files, PECmd) [22:07] The Dig of Executable (AmcacheParser) [26:07] Windows Event Log Analysis [37:20] Chronological Order of Attack 🛠️ Tools & Techniques Covered: - Timeline Explorer for Timeline Analysis - Scheduled Tasks for Persistence Investigation - LNK Files with LECmd - Prefetch File Analysis with PECmd - Program Execution via AmcacheParser - Windows Event Log Analysis 🚨 Whether you're learning digital forensics or prepping for blue team roles, this walkthrough gives you hands-on insight into how professionals investigate compromised Windows systems. 💡 Don't forget to like, comment, and subscribe for more TryHackMe walkthroughs! #TryHackMe #WindowsForensics #DigitalForensics #IncidentResponse #BlueTeam #CyberSecurity