Having a brain freeze….
If I recall, on a WinXP system, users that log into a Domain do not have an entry in the SAM however, we see their profile directories under \Documents & Settings\
According to the profile folders, there were 4 users logged into that machine based on the 4 profile directories there.
There is only 1 folder in the RECYCLER S-1-5-21-………-3825
Is there any way to find out which of the 4 users the SID in the RECYCLER belongs to?
Appreciate any help.
-=Art=-
Are you using EnCase? If so, there is a quick way to find out by going to the Documents and Settings folder and choosing "Report" view. If you click on each profile directory in turn, it will give you the "owner" SID - which (if I remember correctly) corresponds to the user's SID.
We are an FTK shop. We are in the process of getting Encase.
-=Art=-
well in FTK you can just define your own Column Settings and select Owner SID
mebbe I'm missing something, but if you look in software\Microsoft\Windows NT\CurrentVersion\ProfileList
and look through the values for each subkey then you should be able to enumerate the data for each user?
Hope the terminology's right
Cheers
*headslap* That was it. The ProfileList.
Thanks Cults14 and everyone else for their input.
Best…
-=Art=-