Recycle Bin for a D...
 
Notifications
Clear all

Recycle Bin for a Domain User

6 Posts
4 Users
0 Likes
521 Views
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Having a brain freeze….

If I recall, on a WinXP system, users that log into a Domain do not have an entry in the SAM however, we see their profile directories under \Documents & Settings\
According to the profile folders, there were 4 users logged into that machine based on the 4 profile directories there.

There is only 1 folder in the RECYCLER S-1-5-21-………-3825

Is there any way to find out which of the 4 users the SID in the RECYCLER belongs to?

Appreciate any help.
-=Art=-

 
Posted : 02/11/2011 6:20 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Are you using EnCase? If so, there is a quick way to find out by going to the Documents and Settings folder and choosing "Report" view. If you click on each profile directory in turn, it will give you the "owner" SID - which (if I remember correctly) corresponds to the user's SID.

 
Posted : 02/11/2011 11:48 am
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

We are an FTK shop. We are in the process of getting Encase.

-=Art=-

 
Posted : 02/11/2011 5:54 pm
(@thall)
Posts: 53
Trusted Member
 

well in FTK you can just define your own Column Settings and select Owner SID

 
Posted : 02/11/2011 6:33 pm
(@cults14)
Posts: 367
Reputable Member
 

mebbe I'm missing something, but if you look in software\Microsoft\Windows NT\CurrentVersion\ProfileList

and look through the values for each subkey then you should be able to enumerate the data for each user?

Hope the terminology's right

Cheers

 
Posted : 02/11/2011 8:00 pm
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

*headslap* That was it. The ProfileList.
Thanks Cults14 and everyone else for their input.

Best…
-=Art=-

 
Posted : 04/11/2011 6:34 am
Share: