Ual
Overview
Evidence: Ual Description: Collect Ual Category: System Platform: Windows Short Name: ual Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Windows User Access Logging (UAL) provides detailed records of user access to system resources, including files, applications, and network resources. This data is essential for understanding resource access patterns and detecting unauthorized access.
Data Collected
This collector gathers structured data about user access logs.
User Access Logs Data
ID
Primary key (auto-increment)
1
AuthenticatedUserName
Authenticated username
DOMAIN\Administrator
DBName
Database name
SystemIdentity
DBPath
Database path
C:\Windows\System32\LogFiles\SUM\SystemIdentity.mdb
DBYear
Database year
2023
RoleName
Role name
Administrator
RoleGUID
Role GUID
12345678-1234-1234-1234-123456789012
TenantID
Tenant ID
tenant-123
TotalAccesses
Total access count
150
InsertDate
Insert date
2023-10-15 14:30:25
LastAccess
Last access time
2023-10-15 14:30:25
Address
Source address
192.168.1.100
Days
Access days
2023-10-15,2023-10-16
Collection Method
This collector parses the necessary data from the ual table.
This collector collects files from the following locations:
C:\Windows\System32\LogFiles\WMI\
Usage
This evidence is crucial for forensic investigations as it provides user access and resource usage information. It helps investigators understand resource access patterns, detect unauthorized access, and investigate access-based attacks. The data can reveal resource access, user behavior, and potential security incidents. Analysts can use this information to identify access compromises, trace user activities, and assess Windows security posture.
Notes
This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.
Last updated
Was this helpful?