±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 27614
Visitors: 60

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

NTUSER.DAT file modification timestamp

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 11:34 am

I am examinig a laptop with Windows XP, that was part of a domain.
I have 10 diferent user profiles in this machine.
Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?
Thanks
Alex  

abiolcati
Newbie
 
 
  

Re: NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 12:11 pm

How are you performing your examination of the NTUSER.DAT file?  

douglasbrush
Senior Member
 
 
  

Re: NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 1:06 pm

Doug,

- douglasbrush
How are you performing your examination of the NTUSER.DAT file?


I don't follow...the OP appears to be asking about the modification time of the file.

@abiolcati,

Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?

No, it doesn't...not by itself. It simply tells you that that's when the file was last modified.

If you're interested in when the user was logged in, a good way to validate this is to check the contents of keys that indicate user activity...UserAssist, RecentDocs, RunMRU, TypedURLs, etc.

Also, check the SAM hive for the last login time...that may help.

If the system is auditing user logins, a good methodology is to create a timeline with file system activity and Event Log records...you should see the user login (event ID 528, type 2 or 10), and a logout 'close' to the last modification time of the NTUSER.DAT file in question.

HTH.  

keydet89
Senior Member
 
 
  

Re: NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 1:18 pm

I wasn't clear wither if it was about the time stamp of the file itself or the time stamping within. I was guess within and am curious how the examination is being performed.  

douglasbrush
Senior Member
 
 
  

Re: NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 1:32 pm

- abiolcati
Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?


'logged'? Do you mean 'logged on'?

That probably depends on what exactly 'logged (on)' means.

For instance, if a user creates a batch job that directly or indirectly modifies parts of registry that are located in NTUSER.DAT, schedules it for 23:30 and then logs out and leaves, ...  

athulin
Senior Member
 
 
  

Re: NTUSER.DAT file modification timestamp

Post Posted: Mon Apr 12, 2010 2:21 pm

- douglasbrush
I wasn't clear wither if it was about the time stamp of the file itself or the time stamping within. I was guess within and am curious how the examination is being performed.


I could be completely wrong...I read "modification time of the NTUSER.DAT" and assumed that meant the modification time of the file itself.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1