[hayst4ck]

Sounds like a lot of fun (actually)!

What OS? I assume Windows? What kind of artifacts have you already discovered?

DNS is a surprisingly fruitful thing to pay attention to.

Some viruses will delete themselves if they detect things like Wireshark or Python are installed.

I believe this is one of the big boy tools, though I haven't used it: https://www.volatilityfoundation.org/about

https://www.varonis.com/blog/how-to-use-volatility looks like a fun exercise.

[nullsense]

I ran OSForensics on the machine last night. It was my first time running a tool like this, and I while I didn't manage to find a smoking gun, I did find some questionable files masquerading as an installer where there were all kinds of different files and file types but they were actually all executables. I wound up deleting those.

What I did discover is that by default Chrome captures and stores every field you submit to every form in a SQLite database. The amount of PII that turned up was absolutely staggering. If I could only exfiltrate one file from a machine, it would be that.

It sort of boggles the mind that that's a thing at all. I don't ever want to touch a browser ever again.