SAM Collector

Overview

Evidence: SAM Users and Groups Description: Collect SAM Users and Groups Category: System Platform: windows Short Name: sam Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Security Account Manager (SAM) hive stores local user and group account information. This data is essential for enumerating accounts, SIDs, and group memberships.

Data Collected

This collector gathers structured data about sam users and groups.

Collection Method

This collector parses SAM and related hives to enumerate local users and groups, resolving group memberships into sam_users and sam_groups.

Forensic Value

This evidence is crucial for forensic investigations as it identifies local accounts and privileges, supporting lateral movement and persistence analysis.