Chris Sanders 🔎 🧠Investigation Scenario 🔎
An employee is suspected of having communicated company information to an outside person. You have an image of their hard drive.
What do you look for to investigate whether an incident occurred and its extent?
13reak 
If timeframe is known: Amcache to see which apps were used. Then taking it from there: email, messengers, browser (history), other used apps.
If timeframe unknown: installed apps then same process.
@13reak You'll be my response of the week. Good thinking! DM me your email address and I'll set you up with a free month in my Analyst Skills Vault https://networkdefense.co/skillsvault
AND Analyst Skills Vault
The AND Analyst Skills Vault is a subscription-based service that provides access to our growing collection of standalone video lessons built by domain experts. We add new lessons monthly for security analysts, forensic investigators, malware analysts, threat hunters, intelligence analysts, and other defensive security practitioners.
I didn't even know there was something to win 
I simply like the scenarios you're posting!
Thanks a lot
@13reak I appreciate you!