Where Have UAL Been?

View Presentation

This presentation will review aspects of Microsoft’s User Access Logs (UAL) found on Windows Servers. The discussion will involve authentication information recorded in these logs as well as how long the records are maintained, IP/MAC address information recorded for authentications, count of authentications recorded each day, categories of authentications, among other details. We’ll explore how these logs can be used as well as the parsing tool that Brian Moran created.

Kevin Stokes

Kevin Stokes is a Lead Specialist in KPMG's Cyber Response Services group. He has over 8 years of DFIR experience, mostly including intellectual property theft investigations, mobile device forensics, and more recently incident response. He enjoys the challenge of deep-dive system analysis and testing.

Brian Moran
BriMor Labs

Brian Moran is a digital forensic analyst currently residing in the Baltimore, Maryland area. He has over 20 years of experience in the cyber security field, with 17 of those years focusing on digital forensics/incident response (DFIR), both in the United States Air Force and private sector. His initial exposure to the DFIR field occurred during a deployment to Mosul, Iraq in 2004-2005, when he served on a team that provided mobile device analytic information in support of tactical military operations. After his military service ended, he entered the private sector and has worked (globally) on a wide range of cases. His favorite aspect of the DFIR field is that it is always changing and evolving; and every case has unique problems, questions, and solutions.