Tracking USER ID in...
 
Notifications
Clear all

Tracking USER ID in Magnet IEF

3 Posts
2 Users
0 Reactions
675 Views
(@pachuco)
Eminent Member
Joined: 10 years ago
Posts: 22
Topic starter  

We are searching an IEF report based on an acquisition from a Windows XP computer in 2014. While we know the SIDs belonging to users but we are finding another type of User ID that we do not recognize.

It would be highly beneficial to this case involving the sexual abuse of 4-year-old males by another male if we can match the following USER ID from Magnet to the SID of one of the two users on this computer. The following is from the IEF report and shows different User IDs. Please look at the end of each excerpt for a number in brackets following "Ralph-PC, ID" such as this one…

"{c629c196-a7c7-462b-83b5-32895cde8d52}"

Of course we really do not know if these are USER IDs or something that Window's uses to track VSCs. The fact that each VSC seems to have a different USER ID indicates that it could be the latter and not the former…

PhysicalDrive7 - Partition 1 (Microsoft NTFS, 585.12 GB) HP [L\] (Volume Shadow Copies) - Shadow Copy Creation Time 2014-08-26 222311 UTC (yyyy-mm-dd), Machine Ralph-PC, ID {c629c196-a7c7-462b-83b5-32895cde8d52}

PhysicalDrive7 - Partition 1 (Microsoft NTFS, 585.12 GB) HP [L\] (Volume Shadow Copies) - Shadow Copy Creation Time 2014-08-03 205042 UTC (yyyy-mm-dd), Machine Ralph-PC, ID {4770d959-7e80-4738-a4fa-2a5928cdd050}

PhysicalDrive7 - Partition 1 (Microsoft NTFS, 585.12 GB) HP [L\] (Volume Shadow Copies) - Shadow Copy Creation Time 2014-08-23 201338 UTC (yyyy-mm-dd), Machine Ralph-PC, ID {418604c7-8d6d-4d8e-995d-3b5add7bc9e5}

PhysicalDrive7 - Partition 1 (Microsoft NTFS, 585.12 GB) HP [L\] (Volume Shadow Copies) - Shadow Copy Creation Time 2014-08-10 132443 UTC (yyyy-mm-dd), Machine Ralph-PC, ID {f1057b62-19c6-49f5-b0f1-c12be77adf7b}

We have searched the Magnet site and performed Google searches to no avail.

Thank you for your consideration.


   
Quote
(@jerryw)
Trusted Member
Joined: 17 years ago
Posts: 56
 

I think the number within the brackets is the identifier of the Shadow Copy, not the user. In the extract you have provided the de-limiter is the comma. So the machine name entry ends with 'Ralph-PC', then moves on to the next field of ID colon identifier of the Shadow Copy.

In the IEF case I have in front of me each different timed Shadow Copy has a different identifier.


   
ReplyQuote
(@pachuco)
Eminent Member
Joined: 10 years ago
Posts: 22
Topic starter  

Thank you sir. That makes perfect sense.

Mike


   
ReplyQuote
Share: