Last Login and Password Change
Location and Format
The SAM hive maintains a list of local accounts and other configuration information.
- SAM\Domains\Account\Users
Purpose
The SAM hive is a registry hive that maintains information about local accounts and information about how they are configured.
Forensic Uses
Accounts in the SAM hive are listed by the relative identifier “RID”. This key will allow us to identify
- Last Login Time
- Last Password Change
- Login Counts
- Group Membership
- Account Creation
- And More!
Analysis Tools
Example Analysis
pending