Is there a way to acquire a copy of the ntuser.dat file from a live remote computer? I tried mapping the drive and used FTK imager to image the file but received errors. ( The ntuser.dat file is only a few megs. Any help is greatly appreciated.
Thank you for the video. This will definitely help me with what I am trying to do. I forgot to mention though that when I try to copy and paste it, I receive an error that the file is in use and that it cannot be copied.
The user wiped out his internet files and index.dat files. I want to try and get his ntuser.dat file to see the typed url's and cookies w/o alarming the end user. Does he need to be logged off in order to acquire the file, or is there a way to do examine it with the user currently logged on? Again, thank you for your help.
Thank you for the video. This will definitely help me with what I am trying to do. I forgot to mention though that when I try to copy and paste it, I receive an error that the file is in use and that it cannot be copied.
The user wiped out his internet files and index.dat files. I want to try and get his ntuser.dat file to see the typed url's and cookies w/o alarming the end user. Does he need to be logged off in order to acquire the file, or is there a way to do examine it with the user currently logged on? Again, thank you for your help.
You should be working off of an image so that you keeping it forensically sound. If you had an image, copying out the ntuser.dat would be a simple process of navigating to the file in encase, FTK, or your tool of choice and copying it out. Is this something that could possibly go to court? It sounds like it's an internal investigation. If you must work on it live I suggest logging on as a different user such as administrator and then trying to copy it.
Thanks for the info. Na, this isn't something that would end up in court. A co-worker informed our department that the user was accessing social networking sites and web based email, which is against our policy. Just wanted to find out the sites he was accessing since he by-passed the proxy. I'll wait until he logs off to acquire his ntuser.dat file. I tried with the admin account and got the same result. Thanks again for the help and suggestions.
Thanks for the info. Na, this isn't something that would end up in court. A co-worker informed our department that the user was accessing social networking sites and web based email, which is against our policy.
Until he/she sues the company for violating his right, privacy or if you terminate his employment. Treat everything as if it will go to court.
You could acquire the memory from the system remotely and then extract the Internet history and cookie files from the memory "dump."
if it's XP, grab the latest copy from a restore point …
I don't know how fat your wallet is. We use LiveWire from WetStone for things like that. Not only are you able to dump the registry remotely, you can actually remotely copy files, search the hard disk and even image it. If you work in the corporate environment, this might be a tool you'll want your boss to grab for you.
Why purchase a product like that when you have all the tools available to build one of your own?
I've never really understood the need for so many folks, particularly in IT and high-tech fields, to buy commercial products for everything, when all they need is sitting right in front of them…