Avatar of Pau Lo
Pau Lo
 asked on

user access and recent activity

I need sort of a top level "what a user did" type report or clues on an XP machine. I.e. the last day the user logged on to their PC, what kind of apps they ran, what kind of files they accessed. Would this be acheivable, and if so on an XP machine what areas we would look too.

I also need to know the last time a user logged on to a specific PC with a specific (domain) username, where could/may I find that? Would it be the last modified date on their entry in documents and settings?

Its nothing criminal so no need to worry about absolute procedures. May have guessed another users password and used it to login, and then who knows what theyd do, look at their email, home drive, network drives etc. Any pointers welcome for a map of activity for that day...
Windows XPDigital ForensicsWindows OS

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
Pau Lo

ASKER
so if at all possible for the day in question:

login time
apps used (times)
files accessed and locations (times)
logout/power off time

If theres any such tool that can do a daily usage report? Or would these be plucked from various locations?

Would be brilliant if any such log may keep these.  on the XP machine itself.
ASKER CERTIFIED SOLUTION
ChopOMatic

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pau Lo

ASKER
Does security event log only audit local logins though, not domain, or domain too? any tips on limiting the security log to just logins? i.e. ID's?

if you could share tips on the files accessed audit when you are next free that would be great...
Pau Lo

ASKER
I’d also be VERY interested to see what your overall methodology and thought process would be in such a scenario. I.e. your manager has some suspicion either shared logins are in operation, or someone’s guessed another users password, if your manager says on that PC I think john has logged in as joe, on this date, can you come up with some form of user activity on that PC. Aside from which files were accessed, and which apps were run, what other areas would you look for/at to get a fuller picture of what they may or may not have done?

A bit offtopic but for the various types f case you get in, have you got internal methodologies your guys adhere through to identify evidence? i.e. youve got an inappropriate image/video case, follow this  process to identify evidence...
Your help has saved me hundreds of hours of internet surfing.
fblack61
Pau Lo

ASKER
ANy views?

Cheers
btan

Pau Lo

ASKER
As a general rule have you found managers or hr/personnel sections to be a bit deluded when it comes to what can forensics produce? They seem to forget unless audit logs ie *.evt are enabled then the likelehood of a full picture is far less? I just think some managers seem to have a deluded idea of what forensics can unearth where audit logs aren't enabled.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.