Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Swantao
New Today: 1
New Yesterday: 0
Overall: 29538

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 is it possible to verify if a HDD was wiped with DBAN
 Forenic artifacts if someone accessed a remote Win10?
 timeline analysis
 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics

Computer Forensics World Forums


Pages Served
We received
56066790
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - User's logon time?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

User's logon time?

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
Robin_Hood
Newbie
Newbie


Joined: Nov 20, 2007
Posts: 49

PostPosted: Fri May 18, 2012 4:48 pm    Post subject: User's logon time? Reply with quote

I am currently busy with an investigation...I retrieved MAJOR evidence...even linked the computer to ANOTHER computer ( that still have to be brought in for investigation). My question now is...Is there a FOR SURE way ( except knowing the file's creation date) to locate exactly WHEN a user logged on to a standalone PC, as well as a domain? I know NTUser.dat.Log has a date, but that is only the LOGOFF date it desplays...i need evidence for a logON date......thx guys

I know that "net user <user>" will reveal the log-on date/time, but it MUST get the information from SOMEWHERE....THAT'S what I'm looking for as i have my image-drive mounted...Otherwise i must create a ghost image of the drive, log in via Administration, and THEN use --> net user <user>...but i'm looking for a shortcut-way of finding th info via a "mounted" image...
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 240

PostPosted: Fri May 18, 2012 9:41 pm    Post subject: Re: User's logon time? Reply with quote

Robin_Hood wrote:
My question now is...Is there a FOR SURE way ( except knowing the file's creation date) to locate exactly WHEN a user logged on to a standalone PC, as well as a domain?


Windows security log contains entries for various types of logon events. Which log you need to examine, depends on what kind of login it is -- for domain logons you need to look at the DC log.

www . UltimateWindowsSecurity . log gives a good overview -- be sure to read the various texts, as 'Windows logon' is not quite the same thing as what most people expect it to be. Some of it is automatic, and you need to know which is which.

The net user thing queries run-time info -- it won't be useful for any kind of post-mortem analysis.
Back to top
View user's profile
Robin_Hood
Newbie
Newbie


Joined: Nov 20, 2007
Posts: 49

PostPosted: Fri May 18, 2012 10:04 pm    Post subject: Re: User's logon time? Reply with quote

athulin wrote:

Windows security log contains entries for various types of logon events. Which log you need to examine, depends on what kind of login it is -- for domain logons you need to look at the DC log.

www . UltimateWindowsSecurity . log gives a good overview -- be sure to read the various texts, as 'Windows logon' is not quite the same thing as what most people expect it to be. Some of it is automatic, and you need to know which is which.

The net user thing queries run-time info -- it won't be useful for any kind of post-mortem analysis.

Thanks athulin...will check it out Smile
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.