User Folders

Overview

Evidence: User Folders Description: Collect User Folders Information Category: System Platform: windows Short Name: usrfldrs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows creates a profile folder for each user account under C:\Users. Each user folder contains subfolders for Documents, Desktop, AppData, and other user-specific data. The timestamps on these folders can indicate when user accounts were created, last accessed, or modified.

User folder enumeration provides a complete inventory of user accounts that have logged on to the system and can reveal dormant, deleted, or unauthorized accounts.

Data Collected

This collector gathers structured data about user folders.

User Folders Data

Field

Description

Example

Path

Full path to user folder

C:\Users\user

FileModified

Folder modification timestamp

2023-10-15T14:30:00

FileAccessed

Folder access timestamp

2023-10-15T15:45:00

FileCreated

Folder creation timestamp

2023-10-01T10:00:00

Collection Method

This collector:

Searches for all folders under Users\*
Filters to only include directories (not files)
Retrieves MAC timestamps for each folder
Records full folder paths

Forensic Value

User folder timestamps help identify user account activity and profile creation. Investigators use this data to enumerate all user accounts on the system, identify when accounts were created, detect dormant or unused accounts, track recent user activity, identify deleted user profiles, and establish user account timelines.

PreviousUser Access Logs NextUserAssist

Last updated 3 days ago

Was this helpful?