Forensics_Question_1:ANSWER: 4725 and 4726
Forensics_Question_2:ANSWER: C:\Windows\System32\config
Forensics_Question_3:ANSWSER: AES-CFB8,4
Unauthorized user orochimaru Deleted 
obito nolonger admin
orochimaru nolonger admin
validUsers,kakashi:hinata:sasuke:naruto:sakura:obito:tsuane:gaara:rocklee:jiraiya:DefaultAccount:Guest:vmadmin:WDAGUtilityAccount:Administrator,,1,User list correcct
validAdmins,kakashi:hinata:sasuke:sakura:naruto:vmadmin:Administrator,,1,Admin list correct
passwordUpdate,naruto:sakura,1,
serviceRunning,wuauserv,,2,Windows Update service enabled
appUpdated,Firefox,82,2,Fixfox updated
1,Firefox pop-up blocker enabled
1,Firefox blocks dangerous downloads
App Wireshark removed
appRemoved,Npcap, ,1,
1,App Npcap removed
1,Minecraft game removed
2,Powershell version 7 installed
fileRemoved,C:\Users\rocklee\Downloads\hashcat-6.1.1.7z,,2,Rocklee's hacking tool compressed file hashcat removed
fileRemoved,C:\Users\gaara\rocken\04 - Thriller.mp3,,1,Gaara's music removed
fileRemoved,C:\Users\gaara\Music\Thriller.mp3,,1,Gaara's music removed
2,TFTP feature disabled
2,SMB 1.0 disabled
2,IIS-WebServer feature disabled
expressionEQ,(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"  | select-object -expandproperty RPSessioninterval),1,2,System Restore enabled
expressionEQ,((Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\currentversion\Explorer" | select-object -expandproperty "smartscreenenabled")),Warn,2,SmartScreen enabled
expressionEQ,((get-itempropertyvalue hklm:\software\microsoft\windows\currentversion\explorer -name smartscreenenabled) -match "warn|block"),True,2,Windows SmartScreen configured to warn or block
expressionEQ,(Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"  | select-object -expandproperty disableantispyware),0,2,Defender registry issue fixed
expressionEQ,(Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server"  | select-object -expandproperty fDenyTSConnections),1,1,Remote Desktop disabled
expressionEQ,(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"  | select-object -ErrorAction SilentlyContinue -expandproperty autoadminlogon),null0,1,Autologin disabled
expressionEQ,(((((get-netfirewallprofile -policystore activestore).Enabled)|sls $True).matches.count -eq 3) -and  ((((get-netfirewallprofile -policystore activestore).defaultinboundaction)|sls 'Block').matches.count -eq 3)),1,2,Firewall enabled with good default policy
expressionGT,(Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\currentversion\policies\system"  | select-object -expandproperty "consentpromptbehavioradmin"),1,1,User Account Setting enabled
policyGoodRange,MinimumPasswordAge,2 100,1,Minimum Password Age set within range 
policyGoodRange,^MaximumPasswordAge,30 120,1,Maximum Password Age set within range 
policyGoodRange,MinimumPasswordLength,10 30,1,Minium Password Length set within range 
policyGoodRange,PasswordHistorySize,5 30,1,Password History set within range 
policyGoodRange,LockoutBadCount,5 10,1,Bad Password lockout set within range 
policyValEQ,PasswordComplexity,1,1,Password Complexity enabled
policyValEQ,AuditLogonEvents,3,1,Audit of Logon Events enabled
policyValEQ,AuditAccountLogon,3,1,Audit of Account Logon enabled
policyValEQ,AuditPrivilegeUse,3,1,Audit of Privilege Use enabled
policyValEQ,AuditPolicyChange,3,1,Audit of Policy Change enabled
policyValEQ,AuditSystemEvents,3,1,Audit of System Events enabled
policyValEQ,AuditAccountManage,3,1,Audit of Account Management enabled
policyValEQ,AuditProcessTracking,3,1,Audit of Process Tracking enabled
policyValEQ,AuditDSAccess,3,1,Audit of DS Access enabled
policyValEQ,AuditObjectAccess,3,1,Audit of Object Access enabled
policyValEQ,LimitBlankPasswordUse,41,1,Account: Limit of blank password to console only enabled
policyValEQ,DontDisplayLockedUserId,43,1,Displaying of user information on locked session disabled
policyValEQ,DisableCAD,40,1,Do not require CTRL ALT DEL disabled
policyValEQ,DontDisplayLastUserName,41,1,Do not display last username at login enabled
policyValEQ,DontDisplayUserName,41,1,Do not display usernames at sign in enabled
policyValEQ,ShutdownWithoutLogon,40,1,Allow system to be shutdown without login disabled
expressionEQ,( (auditpol /get /category:system |sls -pattern "^\s+security state change\s+(.*)").matches.groups[1].value -like '*success*' ),True,4,Audit Security State Change [Success]
expressionEQ,(get-itempropertyvalue hklm:\system\currentcontrolset\services\lanmanworkstation\parameters -name EnablePlainTextPassword),0,2,Send unencrypted password to third-party SMB servers [disabled]
expressionEQ,(get-itempropertyvalue hklm:\system\currentcontrolset\services\lanmanworkstation\parameters -name RequireSecuritySignature),1,2,Microsoft network client: Digitally sign communications (always) [enabled]
expressionEQ,((get-mppreference).mapsreporting -ne 0),True,4,Cloud-delivered virus and threat protection enabled
expressionEQ,(-not (test-path 'c:\program files\wireshark') -and -not (test-path 'c:\program files\npcap') -and  -not (get-package -name '*Wireshark*')  -and -not (get-package -name "*npcap*")),True,2,Fully Removed Wireshark
expressionEQ,(((Get-ScheduledTask "Windows Special Updates" | select-object -expandproperty state) -eq "Ready") -or ((Get-ScheduledTask "Windows Special Updates" | select-object -expandproperty state) -eq "Running")),False,3,Music dropping scheduled task disabled
expressionEQ,(((Get-ScheduledTask "system_profile" | select-object -expandproperty state) -eq "Ready") -or ((Get-ScheduledTask "system_profile" | select-object -expandproperty state) -eq "Running")),False,2,Scheduled task system_profile disabled
expressionEQ,(-not (test-path c:\windows\SystemProfileManager)),True,3,Removed SystemProfileManager
expressionEQ,(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer"  | select-object -expandproperty "DisableNotificationCenter"),0,3,Part 1 of notification center registry fixed
expressionEQ,(Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\PushNotifications"  | select-object -expandproperty "ToastEnabled"),1,3,Part 2 of Notification center registry fixed