Hi,
I'm investigating a WIN 8.1 system.
In the SAM registry hive, i see two manually created user account.
Both have a login count of "0" and a last logon time of "Never".
How is this possible when i know that the computer has been used a lot?
Thanks
did you look event log ? log on event id filter
did you look event log ? log on event id filter
Is this something i can see in EnCase, cause i can't use the live system
Try OSForensics by Passmark (
There is a 30 day trial version that will work.
1) Account Login Information
The "System Information" button will create a report listing all user accounts, like the below example (taken from OSForensics)
"Username [ID] Administrator [500]
Account Created Monday, March 30, 2015, 25919 PM
Last Login Saturday, January 10, 2015, 20628 PM
Password Reset Saturday, November 20, 2010, 105724 PM
Password Fail Date Wednesday, January 21, 2015, 42401 PM
Password Fail Count 4
Login Count 13
Notes *Password never expires* *Account disabled*"
NOTES
1. Mount your forensic image file read & write using FTK Imager (NOT read only)
2. Point OSForensics at the newly mounted volume (FTK Imager will tell you what drive letter the OS was mounted as, such as "J").
2) Event Log Viewer
Again with the forensic image file mounted in FTK Imager, run the "Recent Activity" button on the mounted OS drive letter.
OSForensics will extract out the Event Log and give you "Shutdown and System Boot" entries (see real example below)
Item,Event Log Type,Record ID (Windows),Type ID (Windows),User ID (Linux),User,Event Time,
Shutdown,System,120873,1074,,,1/21/2015, 1125 AM,
System boot,System,120903,6009,,,1/21/2015, 1126 AM,
Regards,
Larry
yes you can do it with encsase event log parser or you can export evtx files and read them with windows evet log viewer or whatever tool you want
thanks to all, i'll try your solutions.
doesn't explain why the registry is wrong though
1. Mount your forensic image file read & write using FTK Imager (NOT read only)
This seems to be an odd recommendation; however, I'll give you the benefit of the doubt. Would you mind explaining?
Sure-
For some reason, OSForensics will not work with a virtual disk that has been mounted by FTK Imager as "read-only".
The metadata that OSForensics can report on about the FTK Imager "read/write" mounted virtual drive does not get altered by virtue of the forensic image file being mounted "read/write".
I am unsure why there is a need for the "read/write" setting to be turned on, but there it is.
Fair enough, I was just curious. Sounds like Passware's issue, and anyway, it's not a major problem. That's what hashing is for. -)
thanks to all, i'll try your solutions.
doesn't explain why the registry is wrong though
Why is the registry wrong? I would argue that the artifacts we find are never 'wrong' - we may just not understand why they are what they are.
What tool are you using? Maybe the program you are using hasn't been updated for Windows 8 (long shot, I know, but still worth trying), or has some other flaw. Try a second tool.
The other thing that popped into my head is that you are looking at local accounts, but what about domain accounts? Those are stored in the Security hive if I recall correctly.
Hope this can help,
Terry