I am running Magnet Axiom. According to the tab user accounts, the last time the user logged in was 1650. However when looking at the Windows event log, there are a bunch of 4624 events. These occur at 1845 and 1935. This event id would indicate a successful login.
Why do they differ? What are your thoughts?
UTC?
Logs usually are off by 2 hours in our time zone when they are not converted properly to/from UTC. It is important to know what date is logged in a product, when i write software to generate logs from a custom source, i put a timestamp from systemtime in with the logs on start up so i can easily correlate.
UTC?
Logs usually are off by 2 hours in our time zone when they are not converted properly to/from UTC. It is important to know what date is logged in a product, when i write software to generate logs from a custom source, i put a timestamp from systemtime in with the logs on start up so i can easily correlate.
All the timestamps are shown in UTC+2 to reflect summertime. Still there is a huge discrepancy.
Was the machine cleanly shutdown?
Consider that registry hives exist typically in memory while the machine is running and only periodically get cached out to disc. Therefore it is possible that the data was lost/is present in a hive log file/some other outcome.
Indeed, even if it was shutdown properly, the data may still be present in a log file as it may not have been committed to disc yet.
Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.
Anything?
Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.
Uh-oh.
Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.
Uh-oh.
Care to elaborate?
What are your thoughts?
Do you know how the tool is making it's determination? What data is the tool using? If it's using something other than the events in the Security Event Log, then that would explain it.
I'd suggesting checking with the vendor to see how the determination is being made. If you know a little bit more about how the too you're using works, you'll be in a better position to understand things like this.
HTH
Do you know how the tool is making it's determination?
The source is listed directly under the data for each artifact.
Most user account data is from the Registry including last shutdown time.
The event logs source are obviously from the event logs, we'll give you both. It's up to the examiner to determine what data is valuable for their investigation.
Jamie
Magnet Forensics
Do you know how the tool is making it's determination? What data is the tool using? If it's using something other than the events in the Security Event Log, then that would explain it.
A good rule of thumb also is if one tool shows data one way… perhaps use another tool to see if it shows the same information. Different forensic tools parse data differently and sometimes grabs other data with it. So what you see may or may not be the full picture.