In the Skill Digital Forensics section on Windows Local User Accounts, Guided Exercise question 3 asks:
“The date and time for the earliest record in the Security.evtx file is ____________. Use the format DD-MMM-YYYY HH:MM:SS (for example, 22-FEB-2022 10:27:18).”
I think the given answer is incorrect. I have brute-forced all possible dates and times from the Security.evtx file, but none of them seem to be correct. Help meeeee! :<<<
Hey there - could you tell me what you’re entering as the earliest timestamp and provide a screenshot of the Event Viewer logs you’re seeing? I just double-checked the lab and this question seemed to be working fine.
Here is my event log screenshot. I have sorted the timestamps, and the red box highlights the result I entered, but the output is incorrect. 
You’re absolutely right - I think the issue is that the lab guide was missing a specific step for sorting by the Date/Time header. In its unsorted state, the top-most and bottom-most log records gave the appearance that it was already sorted most recent to earliest, and the log at the very bottom was the one set as the answer, but that wasn’t actually the case.
I’ve added a new step and corrected the answer. Thanks for flagging.
