Hello all,
I am fairly new to computer forensics so thanks in advance for the help.
I am using FTK's registry viewer and would like to verify and ask for clarification on a few things. If the user's name is John Doe, is JohnDoe/NTUSER the most current NTUSER registry?
I also see some /restore……/SAM etc. entries, can someone explain these as to where they are in a timeline since there is also another SAM registry etc.
I also see a date and time in the "Last failed login attempt" but there is a value of "0" in the "Number of failed logins" field. What are the possibilities?
And lastly, if no password is required after hibernating or out of sleep, would the last successful login time be what it was prior to hibernating or sleeping?
Hello all,
I am fairly new to computer forensics so thanks in advance for the help.I am using FTK's registry viewer and would like to verify and ask for clarification on a few things. If the user's name is John Doe, is JohnDoe/NTUSER the most current NTUSER registry?
I also see some /restore……/SAM etc. entries, can someone explain these as to where they are in a timeline since there is also another SAM registry etc.
I also see a date and time in the "Last failed login attempt" but there is a value of "0" in the "Number of failed logins" field. What are the possibilities?
And lastly, if no password is required after hibernating or out of sleep, would the last successful login time be what it was prior to hibernating or sleeping?
Hi, in order;
1. Doesn't make sense really - do you mean 'was John Doe the last logged in user'? Can you expand?
2. They will be automatically backed up SAM files as part of the system restore and are not in 'current' use. FTK Reigstry Viewer should show you the last modified dates of these SAM files.
3. I'd have thought that zero would mean no failed log ins. You could easily create 2 new accounts on your PC and test this.
4. Again very easy to test yourself!
Perhaps the above will help point you in the right direction?
nakane wrote
If the user's name is John Doe, is JohnDoe/NTUSER the most current NTUSER registry
Unless I'm mistaken, the last write time on a NTUser dat file doesn't necessarily indicate the last time that profile was used.
I've looked at a number of examples in my previous case history (corporate network environment), looked at the LoadTime for all profiles in \\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, the latest one should be the one you're looking for (RegRipper can get this stuff for you).
I've also noticed that the LoadTime is likely to be a few seconds after the LoadTime for NetworkService and LocalService.
BTW, hope the data acquisistion was done right (write-blocker etc) and chain of custoday is all in place?
HTH
nakane wrote
If the user's name is John Doe, is JohnDoe/NTUSER the most current NTUSER registry
Unless I'm mistaken, the last write time on a NTUser dat file doesn't necessarily indicate the last time that profile was used.
I'm not sure that I see how the last write time of the NTUSER.DAT hive applies to the question…
I am using FTK's registry viewer and would like to verify and ask for clarification on a few things. If the user's name is John Doe, is JohnDoe/NTUSER the most current NTUSER registry?
Are you launching RV from within FTK or manually selecting the Registry files? If you are launching from within FTK then JohnDoe/NTUSER is how the most recent entry is shown.
I also see some /restore……/SAM etc. entries, can someone explain these as to where they are in a timeline since there is also another SAM registry etc.
Not in front of a computer with RV, however these should be in order of date.
I also see a date and time in the "Last failed login attempt" but there is a value of "0" in the "Number of failed logins" field. What are the possibilities?
Is this computer on a domain?
And lastly, if no password is required after hibernating or out of sleep, would the last successful login time be what it was prior to hibernating or sleeping?
If no password is required, and there are no other accounts it would likely be the last time the computer was started.