±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 181

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recycle Bin for a Domain User

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

4n6art
Senior Member
 

Recycle Bin for a Domain User

Post Posted: Nov 02, 11 06:20

Having a brain freeze....

If I recall, on a WinXP system, users that log into a Domain do not have an entry in the SAM however, we see their profile directories under \Documents & Settings\
According to the profile folders, there were 4 users logged into that machine based on the 4 profile directories there.

There is only 1 folder in the RECYCLER S-1-5-21-.........-3825

Is there any way to find out which of the 4 users the SID in the RECYCLER belongs to?

Appreciate any help.
-=Art=-  
 
  

Chris_Ed
Senior Member
 

Re: Recycle Bin for a Domain User

Post Posted: Nov 02, 11 11:48

Are you using EnCase? If so, there is a quick way to find out by going to the Documents and Settings folder and choosing "Report" view. If you click on each profile directory in turn, it will give you the "owner" SID - which (if I remember correctly) corresponds to the user's SID.  
 
  

4n6art
Senior Member
 

Re: Recycle Bin for a Domain User

Post Posted: Nov 02, 11 17:54

We are an FTK shop. We are in the process of getting Encase.

-=Art=-  
 
  

thall
Senior Member
 

Re: Recycle Bin for a Domain User

Post Posted: Nov 02, 11 18:33

well in FTK you can just define your own Column Settings and select Owner SID  
 
  

Cults14
Senior Member
 

Re: Recycle Bin for a Domain User

Post Posted: Nov 02, 11 20:00

mebbe I'm missing something, but if you look in software\Microsoft\Windows NT\CurrentVersion\ProfileList

and look through the values for each subkey then you should be able to enumerate the data for each user?

Hope the terminology's right

Cheers  
 
  

4n6art
Senior Member
 

Re: Recycle Bin for a Domain User

Post Posted: Nov 04, 11 06:34

*headslap* That was it. The ProfileList.
Thanks Cults14 and everyone else for their input.

Best...
-=Art=-  
 

Page 1 of 1