⚠️Exercise-Real time Cyber Investigation
An Employer hires a employee, and assigns a task, and says he will pay her 2000 usd for the month so as to complete the task, the employee says she works all day but could not complete the tasks and tells the employer to pay her overtime of 2000 more, so the Employer hires a cybersecurity expert and tells him to investigate her system to find if she really worked on the project, now your duty is to help the cyber man, and give the list of commands that he should run on her system to find if she has really done the project, or visited other sites, or other things, so what would you do, give clear explanation for your commands and their actions and the related documentation,can you          

      
          ⚙️♂️ OBJECTIVE:
Find out if the employee was:

Working on the assigned project

Visiting unrelated websites

Spending time on social media, videos, or games

Accessing sensitive or unrelated files          

      
          ✅ SYSTEM INVESTIGATION CHECKLIST
1. ? Check Recent Files and Activity[cmd]
dir "%APPDATA%\Microsoft\Windows\Recent" /s /b
          

      
          2. ⚙️ List Installed Programs[cmd]
wmic product get name, installDate

[powershell]
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, InstallDate
          

      
          3. ⚙️ Check Browser History & Visited Websites[Chrome][powershell]
type "C:\Users\\AppData\Local\Google\Chrome\User Data\Default\History"
          

      
          4. ⚙️ Check File Access Timestamps[cmd]
dir "C:\Users\\Documents\ProjectFolder" /T:A /S
/T:A = shows last accessed time

/S = includes subfolders

Why: Tells you if she accessed or modified project files recently.
          

      
          5.⚙️ Check System Uptime and Session Duration[cmd]
systeminfo | find "Boot Time"
net statistics workstation
          

      
          6. ⌨️ Check Command History (if used CMD or PowerShell)
(Get-PSReadlineOption).HistorySavePath
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Why: Shows if she was running PowerShell commands or scripts.          

      
          7. ⚙️ Check Event Logs (Logon, App Usage, etc.) [powershell]
Get-EventLog -LogName Security -InstanceId 4624 | Select TimeGenerated, EntryType, Message

Event ID 4624 = logon events.

Use Event Viewer > Windows Logs > Security / Application to analyze more.          

      
          8.⚙️ Check Scheduled Tasks[cmd]
schtasks /query /fo LIST /v
          

      
          9. ⚙️ Check Network Usage and Active Connections
netstat -ano
Why: Check if she's connected to outside servers or suspicious IPs.          

      
          10. ⚙️ Optional: Install Monitoring Tools (for future cases)
ActivTrak, Teramind, or OSQuery can log real-time activity.

Great for preventing future disputes.          

      
          ⚙️ DOCUMENTATION YOU SHOULD GATHER:

Artifact	Location	Purpose
Browser History	Chrome/Firefox profile folders	Identify time-wasting or suspicious browsing
File Timestamps	Project folders	Confirm work progress
PowerShell/CMD history	$env:APPDATA\\...	Check technical engagement
Installed apps list	WMIC / Registry	Spot unrelated tools/games
Event Logs	Event Viewer	Session activity and uptime logs
Recent Files	%APPDATA%\\...\\Recent	Show what files were opened
          

      
          investigation script:
# Windows Work Activity Investigation Script (Full Version)
# Save this as investigation.ps1 and run with admin rights

$reportPath = "$env:USERPROFILE\Desktop\investigation_report.txt"

Function Write-Section($title) {
    Add-Content $reportPath "`n===== $title =====`n"
}

# Start Report
"===== EMPLOYEE ACTIVITY INVESTIGATION REPORT =====" | Out-File $reportPath
Add-Content $reportPath "Date: $(Get-Date)"
Add-Content $reportPath "User: $env:USERNAME"
Add-Content $reportPath "Computer Name: $env:COMPUTERNAME"

# System Boot Time
Write-Section "System Boot Time"
(systeminfo | Select-String "Boot Time") | Out-File -Append $reportPath

# Recent Files
Write-Section "Recent Files Opened"
$recentPath = "$env:APPDATA\Microsoft\Windows\Recent"
Get-ChildItem -Path $recentPath -Filter *.lnk | ForEach-Object {
    $shell = New-Object -ComObject WScript.Shell
    $target = $shell.CreateShortcut($_.FullName).TargetPath
    Add-Content $reportPath $ta          

      
          investigation script:
# Windows Work Activity Investigation Script (Full Version)
# Save this as investigation.ps1 and run with admin rights

$reportPath = "$env:USERPROFILE\Desktop\investigation_report.txt"

Function Write-Section($title) {
    Add-Content $reportPath "`n===== $title =====`n"
}

# Start Report
"===== EMPLOYEE ACTIVITY INVESTIGATION REPORT =====" | Out-File $reportPath
Add-Content $reportPath "Date: $(Get-Date)"
Add-Content $reportPath "User: $env:USERNAME"
Add-Content $reportPath "Computer Name: $env:COMPUTERNAME"

# System Boot Time
Write-Section "System Boot Time"
(systeminfo | Select-String "Boot Time") | Out-File -Append $reportPath

# Recent Files
Write-Section "Recent Files Opened"
$recentPath = "$env:APPDATA\Microsoft\Windows\Recent"
Get-ChildItem -Path $recentPath -Filter *.lnk | ForEach-Object {
    $shell = New-Object -ComObject WScript.Shell
    $target = $shell.CreateShortcut($_.FullName).TargetPath
    Add-Content $reportPath $ta          

      
          run Powershell command
Set-ExecutionPolicy Bypass -Scope Process
.\investigation.ps1