I have a problem whereby we are trying to prove a user was logged onto their windows based PC during a specific 2 hour time period. Unfortunately it was about 11 months ago now and many of the normal logs we would check have been overwritten. Any suggestions on what we could check.
If its a corporate environment proxy logs are usually a great place to look for this kind of information.
On a local machine you may get lucky and have something in the event logs going back that far. Otherwise you could try carving for internet history using something like NetAnalysis/HstEx. I'd also take a look at general file activity over the time period. So look across all MAC times for anything in that time period.
Are you trying to prove they were doing something in that time period? If so then focusing your analysis on what they are supposed to have done may also be of use.
You check the registry hives?
Possibly last write values in that users NTUSER.DAT, that or MAC times within that users directory. Possibly Internet History.
But, all in all, you are facing an uphill battle.
If it was on a corporate network -
routers, specially to Internet,
personal e-mail account visiting IP sources
Active Directory
Exchange server
e-mail headers sent and received
smart switches
building video and security swipe
EZPass transactions
Credit card transactions at nearby restaurants
obviously many of them would just put them nearby the machine in question. But, thereafter it is easier to use mediocre material since there is corroborating evidence to shore them up.
events logs entries?
MFT entry i'll say
You might check the Domain Controller logs, either on the controllers or archived log files. 11 months is quite long, so you might search for archived log files from the controllers.
Alternatively, given that narrow window, have you found any user files with a timestamp that fits this narrow window?
Cheers!
farmerdude
A great way to achieve this and my absolute first choice here would be using a super timeline. Reason? - well you are pulling together in one flat timeline multiple timestamp sources such as
MAC times from the file system
Metadata / Exif data times from inside files
LNK file timestamps
Registry Key timestamps
Firefox & IE Internet history timestamps
Event Logs
Restore points
Recycle Bin
User Assist
You can't use a computer without making changes all over the place to timestamps and many of them are either contained in a user's profile or key entries in their NTUSER.DAT.
If you haven't used this technique before, hop over to Rob Lee's post here for some info
http//
You need to start using linux (I would recommend downloading the SIFT workstation) to take advantage of the tools to put this together, but I can tell you it is absolutely worth it (oh yeah.. and free). Even if your user was on the machine for only a couple of hours 11 months ago, you'll probably find heaps of evidence of their activity at that time using this technique and good evidence they were logged on as well as other artefacts of user activity you may have never thought of.
tip make sure you set your timezones correctly when pulling together time related data from diff tools.
Go Forth and TIMELINE!
log2timeline is a great tool. Check out the cyberspeak interview if you want some good info on it also.