Ciao a tutti,
I have a skype dialogue and a PC in wich i've identified two profile.
The system is a WINDOWS 7. I need to analyse log file (system.evtx and so on) so as to determine wich user was logged in the system at the moment of the chat…
Any suggestion? system.evtx seems not good …
Ignoring the event log briefly - can you not tell this from the Skype accounts present in Users\$user\Appdata\Roaming\Skype?
Yes it's true and infatti all Skype dialogues are concerning only one user account but i'd link e to know il in win7 (in wich ew ha e more logs) the re si the chance to discover each user log in….
Any idea?
Timestams can help when logs are not available, a filesystem and a registry dump can be useful. Corelate with internet activity and profile data.
Yes…it's really true. Infatct timeline analysis and internet activity are related only to one user but i tried to discover from system.evtx traces of user log in …without solution .
Process winlogon.exe in win7 seems to start each profile at pc startup ,indipendently from the real user login….
Thames for all
Any suggestion? system.evtx seems not good …
Yeah, you want to check the Security.evtx…look for Security-Auditing/4624 events.
For console logins, you also want to look at the LocalSessionManager/Operational.evtx logs. For remote logins via RDP, you'd also want to include the RemoteConnectionManager/Operational.evtx logs.
Have a look at Plaso/log2timeline and you will be surprised what a timeline can do in an investigation.
It isn't just looking at 1 or 2 logfiles. Maybe the timeline gives you a pointer to evidence you didn't think of before.
Hi,
That's a simple question. All you need to do is Timeline analysis.
1. Use forensics tool to focus on MACE time stamp for target day.
2. Take a look into evtx to search for target day.
If some files in skype folder touched, and some files are touched in user profile folder(ex NTUSER.dat), you know which user account login and which skype account login.
Rick
Thank for all to everyone who replied me.
I did my analysis with timeline and system evtx ….only one user modified skype files and aother system files so i can say the only this user was logged into the system using, in particular, skype.
Now another question…..what about cryptolocker …how to decrypt files? It will be another argument of the forum…..
Hi,
Like I said, I did decrpt files decrytped by CryptoLocker. FireEye and Fox-IT offer the solution and it works fine. Maybe you could give me your e-mail address. I'd like to share some data with you about how I decrypt those files.
Rick