Run history
Is it on WiFi
Browser history
Drivers
Install date of software
Wallpaper
Browser extensions
Presence of personal documents
webcam image.
If you know what they check for also you can post it here.
My guys just checked event viewer for date of oldest events
They check Device Manager and look mainly at Disk drives and cd/dvd.
And dxdiag
And BIOS
All of these can be edited via regedit, BIOS and I think dxdiag need to be edited after each and every reboot.
With eventviewer it helps to have atleast 500 events and have some dating back more than a few months or your VM will look 'fresh' and suspicious.
Nope my guys openly told me that I am lying to them because there is oldest event of yesterday
They usually just check msinfo32 for me, but sometimes they’ll run devmgmt.msc… However all of these can be edited with regedit. You can also change the software installation dates in regedit. If you really want to go extra with the browsing history I’d recommend copying from your host machine into the VM and deleting what you don’t want them to see. Everything else is pretty simple.
@Brrr#40295 Foremost they check if this is a VM or not. User name and Users’ folder creation date, history and IP
[[3,4],[1]]