4.4 recent activity module

A place to ask the community for help with using Autopsy.

Moderator: carrier

4.4 recent activity module

Postby xan808 » Wed Jun 14, 2017 2:37 pm

I am new to Autopsy but not digital forensics so this issue could well be user error.

When running the recent activity module across win7 and win10 images I don't get any times/dates within the user account results. Is this normal for this module?

Thanks
xan808
 
Posts: 1
Joined: Wed Jun 14, 2017 2:24 pm

Re: 4.4 recent activity module

Postby Hoyt » Thu Jul 20, 2017 2:50 pm

Do you mean that the "Operating System User Account" category under "Extracted Content" has no data or that data typically found within a user account directory (i.e. ntuser.dat) is missing?

In the Tree Viewer at the bottom you should have a Reports section that will contain related RegRipper technical reports that you can check after the module finishes. Also, I'd manually look for those data sources, such as IE history or the user hive, to be sure they're present, then export and test those in a different tool to be sure they're not corrupted.
Hoyt
 
Posts: 60
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 1 guest

cron