Join Us!

Disk: How do I find...
 
Notifications
Clear all

Disk: How do I find the deleted local user account?  

  RSS
elixirelixir
(@elixirelixir)
New Member

I acquired a disk image Win7 OS. I have attempted the following artifacts. However, still cannot find which user is deleted.

Attempt 1
If I can find the $I30 file from the Users directory and find which directory is deleted, then we are good.
However, the result matches what is currently in the Users directory. So no clue here since no slack space is found for any other users other than the directories belonging to the current users.

Attempt 2
Dump SAM and RegBack\SAM to see if any user information left.
https://www.forensicfocus.com/Forums/viewtopic/t=3008/

However none of these files contains the interested files
./Windows/System32/config/RegBack/SAM
./Windows/System32/config/SAM

Attempt 3
Try to see if windows event log contains it. However, cannot find anything for these two log IDs.

User account creation and deletion are tracked by Windows and are stored in the Security Log.
The Security Event ID for "User Account Created" is 4720.
The Security Event ID for "User Account Deleted" is 4726.

Attempt 4
From software reg key, look for
Microsoft\Windows NT\CurrentVersion\ProfileList

This contains a few users that does not have directories in the Users directory. So I dont know which one is the deleted one or none of them is?

Attempt 5
Using event 4624 to see if any other users logon to the system besides the ones that are not deleted and system default accounts. But find nothing interesting.

Attempt 6
Description Keywords searched for from the START menu bar on a Windows 7 machine. Location Win7/8/10 NTUSER.DAT Hive NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Not such key is found

Any advice is appreciated!

Quote
Posted : 28/11/2019 10:52 pm
keydet89
(@keydet89)
Community Legend

I acquired a disk image Win7 OS. I have attempted the following artifacts. However, still cannot find which user is deleted.

Attempt 2
Dump SAM and RegBack\SAM to see if any user information left.
https://www.forensicfocus.com/Forums/viewtopic/t=3008/

However none of these files contains the interested files
./Windows/System32/config/RegBack/SAM
./Windows/System32/config/SAM

You're not looking for files…you're looking for keys or values.

Have you tried extracting the deleted contents of the SAM hive(s)?

ReplyQuote
Posted : 29/11/2019 11:30 am
Share: