Thursday, August 22, 2024

Digital Forensics:User Access Logging (UAL)

 Digital Forensics:UAL  Log

What Is User Access Logging?

UAL is a feature included by default in Server editions of Microsoft Windows, starting with Server 2012. As defined by Microsoft, UAL is a feature that “logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.”(Patrick Bennettuser, access-logging-ual-overview ,June 8, 2021)

  • User Access Logging (UAL) is enabled by default on Windows Server operating systems, starting with 2012 and later 
  • Collects user access and system-related statistical data in near real-time 
  • Examples of services and roles from which data is collected include DNS, DHCP, IIS, WSUS, etc.
  • Stored within multiple .mdb files (ESE databases) located in %SYSTEMROOT%\System32\ LogFiles\SUM 
Digital Forensics:User Access Logging (UAL)
Export  UAL log with Autopspy

  • SystemIdentity.mdb, Current.mdb, and one or more files with a GUID-based name should exist in this location
Current.mdb : The database for the current year
{GUID}.mdb : Archived data from the Current.mdb, and previous years
SystemIdentity.mdb : Contains role information and system details

Digital Forensics:User Access Logging (UAL)

Digital Forensics:User Access Logging (UAL)
Open with Autopspy

  • The GUID-based file names will hold data from the current year, the previous year, and two (2) years prior 
The GUID-based file names
Open with ESEDB Viewer

Digital Forensics:User Access Logging (UAL)
Open with ESEDB Viewer


  • Every 24 hours, data from Current.mdb will be copied to the GUID-named database for the current year 
  • SystemIdentity.mdb will track the other UAL databases and contain basic server configuration info
Digital Forensics:User Access Logging (UAL)

  • This artifact is only present on Windows Server operating systems, 2012 and later 
  • The IP address tracked is the location from which the associated activity originated; the destination is the Windows Server system from which UAL was obtained 
  • On the first day of the year, UAL will create a new GUIDnamed .mdb file 
    • The old GUID-named file is retained as an archive; after two (2) years, the original GUID.mdb will be overwritten 
Digital Forensics:User Access Logging (UAL)

  • The activity is tracked by server role, which maps to the roles configured on the Windows Server from which the data was acquired
  • This artifact can be used to identify abnormal access to systems and to profile lateral movement from various clients to servers running Windows Server 2012 or later 
  • The InsertDate is logged in UTC, and represents the first access for the year for a combination of the specific user, source IP address, and role 
  • The LastAccess is logged in UTC, and represents the last access for the year for a combination of the specific user, source IP address, and role 
  • The “File Server” role is usually associated with SMB access, but in some cases, access via other protocols may be associated with this role
Photo Credit: Microsoft  Incident Responders Team


Reference 


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 

No comments:

Post a Comment

Digital Forensics:WhatsMyName (OSINT)

Digital Forensics:WhatsMyName (OSINT) Welcome to WhatsMyName This tool allows you to enumerate usernames across many websites How to use: 1....