Blog >> User Accounts

Investigating User Accounts

22/06/2021 Tuesday

Windows stores user accounts and security descriptors for users on the local computer in a file called SAM (Security Account Manager). SAM is a part of a system defined database where configuration data is stored and retrieved. Using cryptographic measures, this file can be used to authenticate local and remote users to prevent unauthenticated access to the system. User Accounts data can be extracted from this file.


Digital Forensics Value of User Accounts Artifacts


User Accounts artifact helps investigators identify the users on a Windows system. This information includes the username, full name, level of privilege the user has, last time the system was logged into with the account, last time a failed password login attempt was made, and other information. Analyzing this artifact helps tie a user to any activity on the computer. If, for example, a file download appeared in the system and the action needs to be traced, this artifact can provide clarity about the timeline by showing which account was logged into right before the incident. If the account is password protected, it can show what privileges the account holds as well.


Location of User Accounts Artifacts


User accounts artifact source file is located at: C:\Windows\config\SAM

Within the SAM hive, the artifact data can be found at the location: SAM\Domains\Accounts\Users


Structure of User Accounts Artifacts


The SAM file containing the User Accounts artifact is a registry hive. This is a database where necessary operating system and/or application configurations are maintained. It is made up of keys and values. Keys can be containers that may contain other subkeys. Keys point to values, which are variable length data sets. Windows provides an executable file called regedit.exe that can be used to view and make changes to the registry database.


Analyzing User Accounts Artifacts with ArtiFast Windows


This section will discuss how to use Artifast Windows to extract user accounts artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select User Accounts Artifact:






Once Artifast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the User Accounts artifact in Artifast software.


User Accounts Artifact

The artifact contains information on the user accounts in the system. The details you can view include: