User Access Logs

Overview

Evidence: User Access Logs (UAL) Description: Collect and Parse User Access Logs Category: System Platform: windows Short Name: ual Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

User Access Logs (UAL/SUM) databases record authenticated user accesses to roles/services, including addresses and counts. This data is essential for auditing remote access and service usage.

Data Collected

This collector gathers structured data about user access logs (ual).

Collection Method

This collector collects SystemIdentity.mdb and Current.mdb files, reads SystemIdentity.mdb to resolve roles and chained databases, then parses SUM .mdb files to extract client access records into user_access_logs.

Forensic Value

This evidence is crucial for forensic investigations as it reveals who accessed what and when, aiding in lateral movement and unauthorized access analysis.

PreviousUSB Storage History NextUser Folders

Last updated 3 days ago

Was this helpful?