Hello ^^
it's always me bugging this forum with such questions.
i was wondering about the key Microsoft\Windows NT\CurrentVersion\ProfileList
each profile has a name, a path a last load time and a last write time.
is it correct to consider the load time and write time as last session login/logout?
or for such informations i have to look elsewhere?
sorry for such an idiot question but i'm not used to windows forensics and registry hives since i mostly focused on linux systems before and started windows only recently )
thnx in advice.
i was wondering about the key Microsoft\Windows NT\CurrentVersion\ProfileList
each profile has a name, a path a last load time and a last write time.
The LastWrite time is associated with a Registry key.
Some information about the ProfileList key can be found here
http//
is it correct to consider the load time and write time as last session login/logout?
or for such informations i have to look elsewhere?
The LastLogin time can be found in the SAM hive, and the last time that the user logged out should correspond to the last modification time on the NTUSER.DAT file.
sorry for such an idiot question but i'm not used to windows forensics and registry hives since i mostly focused on linux systems before and started windows only recently )
There are some good books available, Windows Forensic Analysis being one.
thnx very much for the help )
i'll take a look at the book you suggested me )