User Account Deleted

Event IDs 4720 (creation) and 4726 (deletion)

Logs In Windows 7, Event Logs are located in %SystemRoot%\system32\winevt\logs. We used Logparser to inspect the Windows Event Logs. Logparser is a power-full utility that is capable of querying text-based logs.

We utilized this tool to extract information about deleted accounts. Every event in the Event Logs has an event ID that distinguishes it from other events. For example, account creation and deletion events have eventID values equal to 4720 and 4726, respectively. Based on the event ID value of the account creation, we can extract information about all created users. In addition, because we are interested in recovering deleted accounts, we can extract all these accounts based on their eventID. Because of the fact that events in the event logs are tied to user SID (Security Identifies),we first need to extract the SIDs of all deleted users. Then, we can utilize the extracted SIDs as a cross-reference into all events of event logs. To extract the username, SIDs, and deletion dates of all deleted accounts and save them into a file named delusers.txt, we ran the following query:

logparser -i:evt -resolveSIDs:on -o:nat -rtp:20 "select extract_token(strings, 0, ’|’) as user,extract_token(strings, 2, ’|’) as SecID,to_date(timegenerated) as deletiondateinto delusers.txtfrom security where eventid = 4726logparser -i:evt -resolveSIDs:on -o:nat -rtp:20 "select extract_token(strings, 0, ’|’) as user,extract_token(strings, 2, ’|’) as SecID,to_date(timegenerated) as deletiondateinto delusers.txtfrom security where eventid = 4726

The above query can be modified to only ex-tract the SIDs of deleted users and store them into deluserssid.txt file that will be utilized later. Furthermore, other kinds of events such as log-in,log-off, and password changing can also be extracted the same way. For example, to extract all events which are tied to deleted users, we wrote the following query which utilizes the SIDs for deleted users. The output of the query goes into a file named delsecurity.txt.

FOR /F "skip=2 tokens=* delims=" %%i in (deluserssid.txt)do (LogParser -i:evt -resolveSIDs:on -o:nat -rtp:20"select EventID,TimeGenerated,SourceName,EventCategoryName,Message into delsecurity.txtfrom security where strings like ’%%%%i’"

User's Home Directory

The directory may still exist. We can check evidence by looking into users folder to see if any artifacts are left over.

  • C:\Users\USERNAME

  • C:\RECYCLE.BIN\SID

PreviousInvestigating Specific ActivityNextDumping Domain Hashes with IFM Images

Last updated