> For the complete documentation index, see [llms.txt](https://nk0.gitbook.io/dfir/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nk0.gitbook.io/dfir/windows/forensics/network-logs/ual.md).

# UAL

{% embed url="<https://www.crowdstrike.com/blog/user-access-logging-ual-overview/>" %}

File Location:

* C:\Windows\System32\LogFiles\Sum

<figure><img src="/files/L8oFg3Uxo9HX6KQoR4fs" alt=""><figcaption></figcaption></figure>

### Parsing Data

<pre class="language-powershell"><code class="lang-powershell">#Parse DB directory
SumECmd.exe -d F:\Tools\Investigation\logs\ --csv F:\Tools\Investigation\logs\logs1
<strong>
</strong><strong>#repair dirty DB files
</strong>esentutl.exe /p Current.mdb
esentutl.exe /p SystemIdentity.mdb
esentutl.exe /p GUID.mdb
</code></pre>

### Considerations

**Detail\_Clients\_Output**

* Sever of the UAL logs will be server the clients are connecting to.
* Artifact will show lateral movement of known compromised account.
* Shows list of authenticated user names and what they auth'd to.
* Shows total accesses and last accessed by user and Role GUID.
* Source IP addresses and client names.

<figure><img src="/files/937XIpvJaYHNvIB8Ito1" alt=""><figcaption></figcaption></figure>

### Anti-Forensics

* Delete logs
* Logs last for to 3 years
