Hello,

On image (Win 7 Home premium) got few user profiles with stuff of my interest incl all folder structure, however I cannot determine using local SAM when those users last logged in etc… as they do not exist there.

If they were network /domain accounts obviously there would be nothing on local SAM but SID’s (Different to local ones) for those users should be available in $.Recycle.Bin, even If nothing was moved there.

So I wonder is there any other way to determine from the image to find out more about those users, perhaps someone accessed this PC remotely….

NTUSER.DAT is present and was created after OS Install.

Any clues?  

Was the system part of a domain or corporate infrastructure?

Take a look at the last mod time on the NTUSER.DAT files in question to figure out when the users may have last logged out. From there, look in the Security Event Log to see if you can determine when (and from where) the users may have logged in.

You might also consider creating a timeline to get a better idea of what was going on and when.  

keydet89 – thanks

Yes, last written timeSER.dat will tell me when they last logged in. However I need to know whether the user account in particular was password protected.

In terms of event log – that’s a good point!

Do you have any docs explaining detailed examination of event logs from the image?  

- pajkow

Yes, last written timeSER.dat will tell me when they last logged in. However I need to know whether the user account in particular was password protected.

Well, that's different from what you said before...

- pajkow

So I wonder is there any other way to determine from the image to find out more about those users, perhaps someone accessed this PC remotely….

If the user accounts are not in the SAM, then you're not going to find that information on the system.

Since you didn't respond to my questions regarding the domain, I'm going to assume that this isn't the case.

I would look at the contents of the ProfileList Registry key in the Software hive and compare the SIDs for the users, perhaps the ones for your users in question will be different from those accounts that do exist in the SAM. If the system is not connected to a domain, then perhaps this is an instance of re-installing Windows over a previous version (kind of reaching here, I know...). That *might* account for what you're seeing. Without more information, it's difficult to tell...pretty much anything I could offer would be pure speculation and might not be of use at all.

- pajkow

In terms of event log – that’s a good point!

Do you have any docs explaining detailed examination of event logs from the image?

Well, there're my books, but if you don't understand what you're looking for, they won't be of much good to you.  

Alright , this is how it looks:

Have 4 accounts say: A, B, C, D

Account A: has approx. Close last written time in NTUSER.dat to last login time from SAM reg. – all ok
Account B: NTUSER.dat – NTUSER.dat is last written time is long BEFORE last login time in SAM.reg. – no sense at all. Plus NTUSER.dat is empty.

Account C – NTUSER.dat is ok and last written time seems to be ok, and NTUSER.dat is not empty however no trace of this account in SAM

Account D – NTUSER.dat last written time is very similar to Account B, it is also empty inside and no trace of this account in SAM

Now in profile list in SYSTEM hive only two accounts are present: Account A (Last Written time is same as NT User.dat relating to account A – all ok) and C (Last written time similar/after last login of account B)

Internet browsing history relating to user B – is stored in local index.dat in AppData of account C - strange

Used VMware – only two accounts exists on live machine – A and B – so it looks like account C must have been renamed to account B.

So – I think this indicates that account B was renamed from account C or became corrupt.

BTW perhaps anyone could send me link where exactly on Win 7 is info indicating whether account is password protected or not.

In SAM\Domains\Account\Users we have three values:

Password Required (True/False)

HAS LAN Manager Password: (True/False) – I guess this is network login if used

HAS NTLMv2 Password (True/False)

Could anyone tell me which is responsible for password protection on local machine if computer is used only on local workgroup?  

- pajkow

Alright , this is how it looks:

Have 4 accounts say: A, B, C, D

Account A: has approx. Close last written time in NTUSER.dat to last login time from SAM reg. – all ok
Account B: NTUSER.dat – NTUSER.dat is last written time is long BEFORE last login time in SAM.reg. – no sense at all. Plus NTUSER.dat is empty.

Account C – NTUSER.dat is ok and last written time seems to be ok, and NTUSER.dat is not empty however no trace of this account in SAM

Account D – NTUSER.dat last written time is very similar to Account B, it is also empty inside and no trace of this account in SAM

I think it would be really valuable to know if any of these account names are anything like "NetworkService" or "LocalService" or "DefaultUser".

- pajkow

Now in profile list in SYSTEM hive only two accounts are present: Account A (Last Written time is same as NT User.dat relating to account A – all ok) and C (Last written time similar/after last login of account B)

You looked at the wrong key...the ProfileList key is located in the Software hive; if you found it in the System hive, you've been tricked - I'm not aware of the operating system using a key or value with that name within the System hive.

Okay, I know what folks are going to say...someone's going to respond with, "maybe he meant the Software hive...", and maybe that's the case. However, I have to go with the fact that the OP took the time to review that they'd written, and edited it appropriately before clicking "Submit".

So, could you (the OP) go back and check the Software hive, and also check for deleted keys?

- pajkow

Internet browsing history relating to user B – is stored in local index.dat in AppData of account C - strange

That is strange...what's even stranger is how you were able to determine that...

- pajkow

Used VMware – only two accounts exists on live machine – A and B – so it looks like account C must have been renamed to account B.

So – I think this indicates that account B was renamed from account C or became corrupt.

Interesting. Do you have any other data to support that theory? An Event Log entry indicating this, or something similar? For example, one thing you haven't addressed is the SIDs...

- pajkow

BTW perhaps anyone could send me link where exactly on Win 7 is info indicating whether account is password protected or not.

In SAM\Domains\Account\Users we have three values:

Password Required (True/False)

HAS LAN Manager Password: (True/False) – I guess this is network login if used

HAS NTLMv2 Password (True/False)

Could anyone tell me which is responsible for password protection on local machine if computer is used only on local workgroup?

Just use any of the available password cracking tools (Cain and Abel, John the Ripper, OphCrack, etc.) to determine this...the "Password Not Required" flag has nothing to do with whether or not an account actually has a password.