In Windows Forensics 2, I built on what I learned in the first room by diving deeper into specific artifacts that reveal user and attacker activity. This included investigating browser history, USB device connections, and other traces that remain on a Windows machine even after actions are completed. The room emphasized how much information is recoverable if you know where to look.
Working through these exercises sharpened my ability to reconstruct what happened during an incident. By analyzing multiple types of artifacts together, I saw how forensic analysts can form a clear timeline of actions and uncover the methods attackers use to interact with compromised systems.
