I can think of multiple ways to surveil a logged out computer with temporary physical access. The first is installing a hardware keylogger which would enable one to get all the keystrokes from it; however, hardware keyloggers on laptops are to my knowledge much harder to install as typically laptop keyboards are connected with a multi-conductor flat cable, making it appear as a key matrix, with the keyboard controller on the laptop motherboard, according to this thread (correct if wrong). I have also seen that a laptop keyboard's microcontroller can be replaced with one of the same form factor but that logs all the keystrokes, but I am not sure as to how one would go about doing this especially considering the thinness of keyboards. If it can, please explain how.
The other way I can think of that would work on a laptop is using a live and payload USB to install a Metasploit backdoor and then use Metasploit's inbuilt keylogger functionality. However, I do not know if this works on Active Directory connected workstations (I would like a definitive answer on this).
I would like to know if the above 2 attacks work and if so in what capacity they work, and if not if there is any way for this type of attack to be executed.
