User activity clues

pma111 used Ask the Experts™
If you needed to get some clues on what a user 'did' when they logged into a domain joined windows 7 machine forensically where are the obvious places to check. I know there are 'recent' folders with lnk shortcuts to see what files they have accessed..
But interested to know what other artifacts could be turned to for a fuller picture.
. Eg what apps were opened/launched.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SeanSystem Engineer

Event viewer would be a good place to look but usually these kinds of events need to be enabled before they can be tracked under local policies/audit policy.
Exec Consultant
Distinguished Expert 2018
Can check out artifacts that such as: Jump Lists, LNK files, Shellbags, USB Devices and Prefetch files.
Definitelly check SANS Forensic & Incident response poster LINK

There you have everything on one place, what to check and where you can find it.

Another nice security related posters available here
Distinguished Expert 2018

You could us an application like Redline to assist you.

Ideally, you get some sort of audit tools for future use to capture logs of all of the information you're interested in seeing. Varonis is one vendor that makes products in this area. ManageEngine is another, but there are a lot out there.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial