Blog >> Logon Banner

Investigating Logon Banner

03/09/2021 Friday

A logon banner is a legal piece of writing that a Windows system user sees at the point of entry into a device. It is set manually and contains information about the permitted and appropriate usage of a computer system and its access capabilities that a user must acknowledge before logging in. This feature is mainly utilized on company-owned systems as it serves as a warning against any security policy violations and informs employees of the level of privacy on the systems. Any violations can be prosecuted to the full extent of the law. The image below shows a sample of what a Windows 10 system with the banner set looks like before a user can login.


Digital Forensics Value of Logon Banner Artifacts


This artifact is important in investigations that involve unauthorized usage of a system. With further analysis of other artifacts, investigators can prove that a user misused a system despite the legal text that was displayed by the system and acknowledged by the user before login.


Location of Logon Banner Artifacts


Logon Banner artifact source file is located at C:\Windows\config\SOFTWARE. Within the SOFTWARE hive, the artifact data can be found at the following location
Microsoft\Windows\CurrentVersion\Policies\System


Structure of Logon Banner Artifacts


The SOFTWARE file is a registry hive file. The registry file format is a binary file analogous to a filesystem with a group of keys, subkeys, and values. These files are used by the operating system to store user, system, and application configurations.


Analyzing Logon Banner Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to extract Logon Banner artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Logon Banner artifacts:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of Logon Banner artifact in ArtiFast software.


Logon Banner Artifact

The artifact retrieves the legal text, if any, that is shown to system users before login. The details you can view include: