Just started a case (EnCase 8). Public profile contains lots of evidence. Appears to be used somewhat frequently. But there is no NTUser.dat.
Am I forgetting something about Public Profiles?
I plan on carving for it since I suspect it was deleted, but I wonder if I am not aware of something with these profiles?
Just started a case (EnCase 8). Public profile contains lots of evidence. Appears to be used somewhat frequently. But there is no NTUser.dat.
Am I forgetting something about Public Profiles?
I plan on carving for it since I suspect it was deleted, but I wonder if I am not aware of something with these profiles?
You need to ensure that you are looking at an active profile, not just a directory that happen to be stored where profile directories are stored.
One fairly common situation is that a profile ceased to function, a new one was set up, various surgery performed and a switch was made to the new one. In such cases, the old profile directory may look like a profile, but need not contain anything useful.
Also, on corporate systems (and the odd home computer of a Windows sysadmin) you may have profile directories stored on a fileserver share to ensure they get backupped regularly. If you don't have that share mounted … you won't see anything useful or recent.
However, if profile time stamps seem to line up as they should, based on system logs, etc, the simplest explanation may very well be the correct one.
(Added Also doublecheck hivelist that's where the path of the 'NTUSER.DAT' file is. It might be changed to something else …)
Thanks for the tip. I did some reading and discovered the public profile exists for any user of a computer to 'share' data on and as such it is not a normal user profile that one logs into. As a result it does not have an NTUser.dat file.