Hi all,
Have a job coming in where client wants to know what user was logged on/off of the HDD in question. I know where the logs are stored but how do you extract and read them. I use FTK also.
Also anyone use Digital Detective, and if so, reccomend it for Internat jobs.
Thanks in advance
For me, the best method is to parse the log files. There are several tools to do this job, like perl scripts and MS Logparser 2.2. You can put the output of the logfiles in one central csv, xls or sql document.
Yes, extracting to some kind of delimited file and parsing with Perl as required is both powerful and flexible.
Also anyone use Digital Detective
You mean NetAnalysis? It's been a little while since I last used it properly (although I did use it recently for training) but I was very happy with it then and it certainly has a good reputation. Perhaps some frequent users could comment?
I use Netanalysis as my primary internet history tool and while I probably don't use it as efficiently as I should, it's still better than anything else I've tried. The keyword filtering and SQL queries help enormously with digging through large numbers of records.
Have a job coming in where client wants to know what user was logged on/off of the HDD in question. I know where the logs are stored but how do you extract and read them. I use FTK also.
Users don't log onto hard drives, they log into operating systems. What OS are you looking at? Linux? If the OS is Windows, you could try the Security Event Logs, but by default, auditing/logging for logins is not enabled.
One way that is enabled to is to check the contents of the UserAssist Registry key…may have the values have time-based information in the data. The SAM file will tell you that last login, and you can get information for the last login and logoff from the MAC times on the NTUSER.DAT file…but you won't get information over a range unless you check elsewhere.
HTH,
Harlan
Thanks Harlan and others.
I meant OS not HDD, its Windows XP. I have been told logging is on.I know about the registry key for user last logon etc, my question specifically is where is the Security Events logs stored and how would I extract it to say an external reader and view/print?
Easily done in Windows from a GUI, but never did from an image situation.
Thanks again
%SYSTEMROOT%/system32/config
Export them and read the result with Event Viewer, Log Parser, etc.
I use a tool that I wrote called EvtUI. It's a GUI that parses the event records into a searchable spreadsheet, and produces a report showing the frequency of different event IDs.
For what you're doing, I'd look at psloglist from SysInternals…not as complete functionality as what I usually look for, but it should suffice for your needs.
Great info thanks to all. I will put it to good use
Regards