Livy is reoprted to have came into the building and taken “strategy.docx” and “customer_list.xlsx” at 18:45EST (6:45PM) October 11, 2020.

Livy login at reported time and fsquit.exe (used for data transfer) ![[Pasted image 20251009142132.png]]

NIC was last used at the exact reported time. - RegRip of System Hive ![[Pasted image 20251009162120.png]]

These are the deleted files in Livy’s recycling bin. One is a match to the hash of “strategy.docx”. The other .docx seems to be a copy of “strategy.docx” ![[Pasted image 20251009163313.png]]

Livy logging in at 6:47:24 PM. TZ messed up due to conversions. - Security.evtx ![[Pasted image 20251009180723.png]] Another Login confirmation - Microsoft-Windows-User Profile Service%4Operational.evtx ![[Pasted image 20251010141449.png]]

Livy logging off ~2 minutes later at 6:49:27 - security.evtx ![[Pasted image 20251009180910.png]]

Livy Logs in again at 6:50:24PM - Microsoft-Windows-User Profile Service%4Operational.evtx ![[Pasted image 20251010142522.png]]

Livy Logs off again at 6:56:15 PM ![[Pasted image 20251010151710.png]]

Livy initiates shutdown the computer at 6:49:23 ![[Pasted image 20251009181650.png]]

Confirming that she did have the file, on the Desktop, and deleted it. ![[Pasted image 20251009191028.png]]

Remote Drives mounted ![[Pasted image 20251010155328.png]]

Recent Docs written to around reported time ![[Pasted image 20251010155700.png]]

Proof of drive writing at 6:54:49 ![[Pasted image 20251010160143.png]]

Proof of deletion ![[Pasted image 20251010191051.png]]

![[Pasted image 20251010194514.png]]

![[Pasted image 20251010201311.png]]