Missing User ID/Accounts


shamus

New Member
May 21, 2019
2
1
#1
Upon looking at the local user ids there are two that are not there (1002, 1003). I have searched event id's 4726 and 4743 finding nothing. Any way to determine if the event logs have been altered or somewhere that may show who, what, or why these accounts were removed?
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#2
Details ... 'looking at the local user ids' ... how did you do that? I could assume you did it the right way, ... but I have no way of proving that you did.

Why do you assume the event logs may have been altered? Or do they cover the full life of the system? Do you have create logs for the other relevant RIDs? (I assume you have looked for resorces, such as files, directories, etc. and registry entries created by the relevant RIDs.)

On corporate systems, installed from master images, remains from the original install can sometimes be difficult to get to grips with. Is that kind of situation applicable here? Or do you know that the system has been installed exactly as Microsoft documents it? (If not, look for other systems installed in the same way, or from the same master, and compare.)
 
Last edited:

shamus

New Member
May 21, 2019
2
1
#3
Thanks for the reply; I actually posted this for a colleague of mine so, I don't know all the particulars. I believe those other things were checked and there were artifacts indicating those users were once there but I'll have to ask him.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu