Back to binalyze.com

Sam

Overview

Evidence: Sam Description: Collect Sam Category: Security Platform: Windows Short Name: sam Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Security Account Manager (SAM) database contains user account information, password hashes, and security policies. This data is essential for understanding user accounts, detecting unauthorized access, and investigating security incidents.

Data Collected

This collector gathers structured data about sam users.

Sam Users Data

Field
Description
Example

ID

Primary key (auto-increment)

1

Username

Username

Administrator

RID

Relative identifier

500

SID

Security identifier

S-1-5-21-1234567890-1234567890-1234567890-500

AccountCreatedDate

Account creation date

2023-10-15 14:30:25

ProfilePath

User profile path

C:\Users\Administrator

GroupNames

Group memberships

Administrators,Users

LastLoginDate

Last login date

2023-10-15 14:30:25

PasswordResetDate

Password reset date

2023-10-15 14:30:25

PasswordFailDate

Last password failure date

2023-10-15 14:30:25

Flags

Account flags

Normal user account

FailedLoginCount

Failed login count

0

LoginCount

Total login count

150

AccountType

Account type

Default Admin User

FullName

Full name

Administrator

Comment

Account comment

Built-in account for administering the computer

DriveLetter

Home drive letter

H:

LogonScript

Logon script

logon.bat

Workstations

Allowed workstations

WORKSTATION1,WORKSTATION2

Collection Method

This collector parses the necessary data from the sam table.

This collector collects files from the following locations:

  • C:\Windows\System32\config\SAM

Usage

This evidence is crucial for forensic investigations as it provides user account and security information. It helps investigators understand user access, detect unauthorized accounts, and investigate security incidents. The data can reveal user accounts, password policies, and potential security vulnerabilities. Analysts can use this information to identify account compromises, trace user activities, and assess Windows security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousSRUMNextScheduled Tasks

Last updated

Was this helpful?