Before I give the BLUF, allow me to address a departure from previous behaviour. I’m not a fan of click-baity stories that make readers read a full post before they get to the point, so in the past I have usually provided a TL;DR at the start of my posts, but I think by convention they are meant to go at the end of an article. For that reason I’m switching up initialisms. The BLUF (Bottom Line Up Front) is my new TL;DR because it’s meant to go at the start, and by goodness, do I believe you should not have to scroll very far to find the point of any particular post!
Obviously I go into more detail as to my journey of finding the knowledge I’m about to reveal, and I would prefer if you took that journey with me, but I get it, you’re busy, so here it is:
In order to get the account creation date for a user account on Windows you need to navigate to the registry key located at:
Once there you will see a list of the user name accounts on the system and if you locate the user name you’re interested in, for example “testuser1”, and then check the “Last Written Date” for that folder it will correlate to the user creation date (on that specific computer).
It is an exercise left to the reader as to how to get one’s hands on the SAM file.
Caveat: A lot of the resources mentioned below are quite old, as a result, Your Mileage May Vary.
I’m starting to take a deep dive into EnScript in EnCase, and I was lamenting the lack of freely available resources, but lo and behold Today I struck gold and found a few resources that had escaped my attention before now, so I thought I’d do a quick post collating what I found.
Then of course you have Simon Key’s Github page which hosts a few EnScript samples. Simon Key is a “Sr. Principal Courseware Developer at OpenText” according to his LinkedIn page, so you should be able to learn from his samples how an EnScript should be.
I was recently presented with a packet capture file to perform some forensics on it as a challenge and see if I could find the hidden message. Naturally, it being a packet capture I fired up Wireshark only to be faced with a very bland single colour screen, quite different from the usual network captures most would be used to when using Wireshark (see Figure 1 below). There was none of the usual indication of different protocols broken down by colour. This was going to be a different type of challenge, and one I was going to learn a lot from, I knew I would enjoy it, and I sure did!
I have recently had cause to dive into Business Email Compromise (CEO Fraud, Supplier Fraud, email redirect etc.). This then leads to email header analysis as that is your first step in trying to identify the author of the fraudulent emails. So having done the research it would be a shame to let it go to waste. Let’s go!