User Folders

Overview

Evidence: User Folders Description: Collect User Folders Information Category: System Platform: Windows Short Name: usrfldrs Is Parsed: Yes - Folder information extracted Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows creates a profile folder for each user account under C:\Users. Each user folder contains subfolders for Documents, Desktop, AppData, and other user-specific data. The timestamps on these folders can indicate when user accounts were created, last accessed, or modified.

User folder enumeration provides a complete inventory of user accounts that have logged on to the system and can reveal dormant, deleted, or unauthorized accounts.

Data Collected

Collection Method

This collector:

• Searches for all folders under Users\*

• Filters to only include directories (not files)

• Retrieves MAC timestamps for each folder

• Records full folder paths

Usage

User folder timestamps help identify user account activity and profile creation. Investigators use this data to enumerate all user accounts on the system, identify when accounts were created, detect dormant or unused accounts, track recent user activity, identify deleted user profiles, and establish user account timelines.

Known Limitations

• Only shows folders that currently exist

• Deleted user profiles not captured

• Timestamps can be modified

• Special folders (Public, Default) included

Notes

Compare user folder listing with SAM registry hive and logon events to identify discrepancies. Folder creation times can indicate when accounts were first used on the system.