?
Newbie to Encase v.4
How to determine primary 'owner' of machine? With an image that shows two user profiles under Documents and Settings; both of which have information stored under My Documents; what would you think is the most efficient way to determine which individual was the primary user of that machine?
Thanks )
I'd check the Registry.
I've written ProScripts for ProDiscover that pull user information out of the SAM portion of the Registry, as well as other ProScripts that decipher the UserAssist keys.
You didn't specify the OS, but if it were XP, I'd suggest correlating the contents of the UserAssist keys to the .pf files in the Prefetch directory.
Another option is to review the Security Event Log for login events.
Any of these options should help, as long as by "primary user" you mean the one to most often use the system.
Hope that helps,
Harlan
D that's great, thanks for that keydet89
Hi,
I always check the registry because if one of those two user accounts had been deleted but the folders were not deleted then EnCase would show folders for two users even though only one account was still active.
Also on NTFS check the recycle bin activity. Each user will have their own recycle bin and if there have been other drives attached you should check those drives to see if they contain a recycler specific to your suspect computer and your susect user account.
Of course all the obvious things such as quantity of activity and so on will help but it's not uncommon to get a PC where there is more than one account but everyone just uses the same one.
Steve
Steve,
What are the "those two user accounts" are you referring to?
H
Keydet,
Littleme refers to two user profiles in his original post so I carried on with two.
Steve