Using grep to Unearth Old Windows User Names 7 30 08
Using grep to Unearth Old Windows User Names 7 30 08 Identifying Deleted User Accounts in Windows I was recently presented with three laptop computers suspected as stolen. My task was to identify the owners. I chose to use a Linux forensic boot disk (one that would not automatically mount the partitions) to conduct the examination to avoid disassembling the computers to access the hard disk drives. It became apparent on the first computer that the original user account(s) were deleted. There was a major discrepancy between the single user account (in one of the suspects names) and in the installation date of the Windows Vista OS. After studying Internet Explorer index.dat files recently, I decided to target deleted index.dat content. IE index.dat files contain the usernames of the active user browsing the web with Internet Explorer, as well as some local file system activities. I used the following command from the Linux terminal to fish for old user account names: $ tr [:cntrl:] The ...