I'm doing some activity in my class in digital forensics I was able to find the last user who login on the computer (found it on WINDOWS/SYSTEM32/CONFIG/SOFTWARE/MICROSOFT/WINDOWS NT/CURRENT VERSION/WINLOGON/DEFAULT USER NAME). There are 5 user accounts on the computer and I need to find the log-in count per user and last log-in date per user, in what folder should I find it? I'm using the Autopsy software.
How to determine the Log-In Count and Last Log-on date of users account in Windows XP while using the autopsy tool?
5.5k Views Asked by Babayaga At
1
There are 1 best solutions below
Related Questions in WINDOWS-XP
- How to format dir command in cmd for XP and Win 2000
- Node.js not working on Windows XP machine
- Unable to launch a wpf application on windows XP machine
- Is there a programmatic way of determining which process is playing sound on Windows XP?
- .Net Framework 4.0 on Windows XP
- InstallShield 5.5 - Where to find boxed licensed copy
- Python error with install_lib: 'build\lib' does not exist
- Barcode scanner with USB port display wrong charactar on Windows 7 and XP
- How to delete registry key on XP while having control over platform-specific view of the registry
- '_WIN32_WINNT' / 'WINVER' : macro redefinition
- How to install pySerial on Windows XP
- System.Windows.Media.MediaPlayer playing sound twice
- Windows XP ETW FileDeleted events
- Where are Windows XP default regional format values stored?
- Getting information about the logical processors in windows XP SP0 (like GetLogicalProcessorInformation )
Related Questions in COMPUTER-FORENSICS
- Internet Explorer AutoComplete Form Data
- Extract the hole .xsl content from a .str file to an xsl/txt file
- Find files in unallocated space between partitions of an example image
- Forensic analysis - process log
- Using Scanner to display entire line if the line contains any part of a string match (Java)
- mounting a partition inside a dd image with Python
- XLSX forensic analysis of changes
- Use DD to write specific file recursively
- Relocating VDSO on-the-fly
- Building a steganography algorithm with LSB replacement and XOR substitution
- stuck on jpg image forensics task
- abnormalities in windows threads, attached process and owned process
- Show full system.string[] in CSV file
- How to view contents from a E01 or dd file
- Alternatives for Error level Analysis (ELA)
Related Questions in SYSTEM32
- Testing for path in SysWOW64 returns true if path does not exist, but does exist in System32
- why a classic asp + vb6 component application using MSXML6.0 is slower on W2K8 server compare to W2K3 server?
- LoadLibraryW() failing to load DLL in System32
- ReOpenFile Windows API fails with "error invalid name" when reopening a file in C:\windows\system32
- Remove DLL from system32 folder when uninstalling a setup from InstallScript project for 64-bit
- C# user32.dll keybd_event not working
- NSIS script not installing in correct directory
- How to create a single file installer to place a .ocx file in the System32 folder and register it?
- Why do windows commands that access C:\Windows\System32\... not work in a C program?
- IOError: [Errno 13] Permission denied {Python}
- Check if another process has admin privileges
- I need help on where to put sdl.dll because i want to program games
- How to load a dll in Tcl?
- "This application could not be started." Only when the file is in system32 directory
- Preventing WM_DEVICECHANGE from dispatching
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
This explanation should help, but this will be a generic answer, as the problem is not reproducible.
Normally the "C:\Windows\System32\winevt\Logs" folder is containing the event logs on Windows systems, tracing login events. You should look for the Security.evtx file(there will be plenty of logs in there, and you are looking for 4624 logs in it). If your Autopsy version is parsing this, you should try to find interactive logins(~= normal keyboard logons, or logon type 2 see the explanation. This is an assumption).
You can either count them or it's an old Autopsy version which doesn't support parsing, export the Security.evtx file instead, and open it in Event viewer on your forensic analysis host locally, and filter(open up Security.evtx with Event Viewer, Actions/Filter Current Log/Includes Event IDs: 4624, Keywords: Audit Success, User: Xyz(and change it to the next one once examined)