I'm attempting to show when a suspect took possession of a laptop running Windows XP. I know that a new user account wasn't set up and the suspect merely changed the name on the original account. Is it possible to time and date this change? Apologies if it's a really obvious answer! I've had a look in the NTUSER.DAT file but can't see anything obvious.
Depending how the logging is configured and how long ago this occurred, you may find an entry in the Security Event Log. However, by default, this sort of event isn't usually configured to be recorded…but who knows.
Where you do want to look is the SAM Registry hive. To corroborate this, you might also want to compare information from Restore Points.
Thanks for your help. I'm afraid I'm a bit out of my depth here. I've viewed the file structure of the SAM hive in Encase but under the username that I'm interested in I can only see a file called (Default). I'm guessing I'm either looking in the wrong place or have missed a step?
for all things windows xp you can pick up a copy of harlans Windows Forensic Analysis (2nd Edition).
Itll explain more or less the process you can do to perform this kind of historical check.
But the tldr version (thats pretty much what harlan said above) would be to export the SAM file from the /Windows/system32/config directory along with the folder containing all of the system restore points and then running ripxp with the samparse plugin.
If you see theres name A in one restore point and then in the next one it's been replaced with name B then you can infer that at some point between those two dates the name was changed.
That would at the very least provide you with a starting time frame (assuming there are restore points to go off).
Thank you. I'll give that a try.
When I've tried this using RipXP I keep getting the response "SAM may not be a valid hive. Unable to determine hive file type fpr sam". It would appear to be a valid SAM file because I've parsed it using Regripper but it doesn't seem to like it for some reason. Are there any instructions available for RipXP?
can you paste the command you ran and the output?
C\Users\Alex\Desktop\RipXP>ripxp -r sam -d "C\Users\Alex\Desktop\RipXP\RP1007"
-p samparse.pl
sam may not be a valid hive.
Unable to determine hive file type for sam
"RP1007" was an example restore point that had been copied out and pasted onto the desktop in the RipXP folder.
have a look at the help for ripxp
you run it across the folder containing all of the restore points and iterates through each one