Where Have UAL Been?

This presentation will review aspects of Microsoft’s User Access Logs (UAL) found on Windows Servers. The discussion will involve authentication information recorded in these logs as well as how long the records are maintained, IP/MAC address information recorded for authentications, count of authentications recorded each day, categories of authentications, among other details. We’ll explore how these logs can be used as well as the parsing tool that Brian Moran created.

Kevin Stokes
KPMG

Kevin Stokes is a Senior Associate in KPMG's Cyber Response Services has 8+ years of DFIR experience.

Brian Moran
BriMor Labs

Brian Moran is a digital forensic analyst currently residing in the Baltimore, Maryland area. He has over 20 years of experience in the cyber security field, with 17 of those years focusing on digital forensics/incident response (DFIR), both in the United States Air Force and private sector. His initial exposure to the DFIR field occurred during a deployment to Mosul, Iraq in 2004-2005, when he served on a team that provided mobile device analytic information in support of tactical military operations. After his military service ended, he entered the private sector and has worked (globally) on a wide range of cases. His favorite aspect of the DFIR field is that it is always changing and evolving; and every case has unique problems, questions, and solutions.