Hi, i'm trying to recover some artifacts to show other user profiles existed on a system, as I have recovered data from a recycle bin which belongs to a deleted user profile.
Where in the registry would it show old users profiles? I'm assuming (hoping) when deleting a user profile, the value remains in the registry.
I have the deleted user ID (from the recycle bin name), thats it so far.
Should a simple key word search for this user ID bring back associated data from this user profile? or are the association's gone along with the entries table, as the data should still be located in lost folders.
Any thoughts?
Where in the registry would it show old users profiles? I'm assuming (hoping) when deleting a user profile, the value remains in the registry.
Unallocated space within the SAM hive…use regslack.pl to retrieve that information, per pp. 247-249, WFA 2/e.
You may also find information in the ProfileList key of the Software hive. If you don't see the user SID there, check the unallocated space of the hive file.
Hi, sorry, FWA?
Greetings,
WFA - Windows Forensics Analysis - Harlan's book on the topic. 2/e - second edition. A "must have".
-David