A logon banner is a legal piece of writing that a Windows system user sees at the point of entry into a device. It is set manually and contains information about the permitted and appropriate usage of a computer system and its access capabilities that a user must acknowledge before logging in. This feature is mainly utilized on company-owned systems as it serves as a warning against any security policy violations and informs employees of the level of privacy on the systems. Any violations can be prosecuted to the full extent of the law. The image below shows a sample of what a Windows 10 system with the banner set looks like before a user can login.
This artifact is important in investigations that involve unauthorized usage of a system. With further analysis of other artifacts, investigators can prove that a user misused a system despite the legal text that was displayed by the system and acknowledged by the user before login.
Logon Banner artifact source file is located at C:\Windows\config\SOFTWARE. Within the SOFTWARE hive, the artifact data can be found at the following location
The SOFTWARE file is a registry hive file. The registry file format is a binary file analogous to a filesystem with a group of keys, subkeys, and values. These files are used by the operating system to store user, system, and application configurations.
This section will discuss how to use ArtiFast Windows to extract Logon Banner artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Logon Banner artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of Logon Banner artifact in ArtiFast software.
Logon Banner Artifact
The artifact retrieves the legal text, if any, that is shown to system users before login. The details you can view include: