I acquired a disk image Win7 OS. I have attempted the following artifacts. However, still cannot find which user is deleted.
Attempt 1
If I can find the $I30 file from the Users directory and find which directory is deleted, then we are good.
However, the result matches what is currently in the Users directory. So no clue here since no slack space is found for any other users other than the directories belonging to the current users.
Attempt 2
Dump SAM and RegBack\SAM to see if any user information left.
https://www.forensicfocus.com/Forums/viewtopic/t=3008/
However none of these files contains the interested files
./Windows/System32/config/RegBack/SAM
./Windows/System32/config/SAM
Attempt 3
Try to see if windows event log contains it. However, cannot find anything for these two log IDs.
User account creation and deletion are tracked by Windows and are stored in the Security Log.
The Security Event ID for "User Account Created" is 4720.
The Security Event ID for "User Account Deleted" is 4726.
Attempt 4
From software reg key, look for
Microsoft\Windows NT\CurrentVersion\ProfileList
This contains a few users that does not have directories in the Users directory. So I dont know which one is the deleted one or none of them is?
Attempt 5
Using event 4624 to see if any other users logon to the system besides the ones that are not deleted and system default accounts. But find nothing interesting.
Attempt 6
Description Keywords searched for from the START menu bar on a Windows 7 machine. Location Win7/8/10 NTUSER.DAT Hive NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Not such key is found
Any advice is appreciated!
I acquired a disk image Win7 OS. I have attempted the following artifacts. However, still cannot find which user is deleted.
Attempt 2
Dump SAM and RegBack\SAM to see if any user information left.
https://www.forensicfocus.com/Forums/viewtopic/t=3008/However none of these files contains the interested files
./Windows/System32/config/RegBack/SAM
./Windows/System32/config/SAM
You're not looking for files…you're looking for keys or values.
Have you tried extracting the deleted contents of the SAM hive(s)?